X2 NPS Servers – Internal CA Auto Enrolment – 2 Trust prompts on mobile devices?

Question

Hi All

I have just setup a 2 tier (Offline Root/Subordinate CA) PKI and have configured 2 NPS servers for redundancy and possible load balancing as well. I am trying to wrap my head around NPS PEAP certificates.

With the CA certificate template duplicated from the ‘Out of the box RAS and IAS Server’ template and auto enrolment turned on, both my NPS servers enrol the certificate which I then manually associate to the NPS network policy. Mobile devices prompt to trust the certificate once on server 1 and then wifi works fine. If I then turn off wifi on the device and point the wireless AP to RADIUS server 2, when the mobile device tries to re-join the wifi, you have to then trust the second servers certificate.

I thought I would try and be smart and change the CA template to “Supply Subject Name In Request” and then manually request the certificate and specify the SANs of both NPS FQDNs but I have come to realise PEAP doesn’t care about the DNS name but just needs to trust the certificate itself.

Company deployed computers and mobile devices can trust the certificate/s using GPO and MDM so it’s just user’s personal mobile which all makes sense to me now. This leads me to my actual question

How are people with multiple NPS server and internal CAs handling PEAP certificates? Ideally I want auto enrolment to integrate with this but I have a feeling this is not possible. Whats my next best option?

Thanks