Forum

Here's a question that may seem a little off topic, but I thought to bounce it off some of the smarter people here as it does involve a wireless network. I have been working with a client, who has an outsourced PKI with certificates from one of the certificate big vendors. They have dual CA's setup, one strictly for their internal servers with its own internal root CA and a CA for users that is a public CA. The users are able to go to a website and request certificates. Now I managed to get this all to do EAP-TLS and for the clients to properly authenticate with 802.1X to the RADIUS server. Then the client throws me a curve ball and asks how to prevent the users from exporting the certificate and private key and installing it on a non-authorized machine to use to authenticate to the wireless network.
Well this got me stumped. I know I can do this with a Microsoft CA, as I just make a GPO to make sure that clients can't export their private keys. The problem here seems that there isn't a way, other than to make it a policy for using the network, to enforce that the clients only use the certs on authorized machines and not export the public and private keys. Has anyone encountered this and thought of a solution?