Authenticate WPA2 Enterprise EAP-TLS for BYOD with Radinus NPS

Question

Hello everyone,

I'm facing with the case like it, I've gone thru everything I could find on the Internet without luck. I hope some one here can share the experience/knowledge

Our Computer using MacBook and managed by MDM. And we don't have any domain around. We're setting up the WPA2 Enterprise EAP-TLS and this is the current status:

• Wi-Fi controller have finished
• The Server has installed Radius NPS, CA Server, IIS server and it's all running as well.
• The issue is: When IIS issues the Certificates to the target device, I need to create the user account within AD and edit name mapping and choose the issued certificate. The cert's name and username AD must be the same. I have test on one machine and create one AD account then mapping cert and user name and it's working fine.
• My question are:

1. Is this possible to have the script or code will look up to the issued certificates on CA and create the account AD with the same name. And then export the cert and mapping to the username (it's really difficult for me because I don't have coding skills)
2. I saw something on the internet mentioned about we can mapping a RootCA with 'fake' user within AD. And every machines has installed PKI (Client-certificates) can be authenticated. I've tried but it did not works. If someone has successfully, can you show me on details ? I saw another documents about 'Specify a realm name' on Radius to change the name but it did not work as well.

Every relies from your side are valuable for me at the moment. Thanks for your time to reading my post.