I'm reading about 802.1X and WPA-2 Enterprise and how to set up it. I've read briefly about the different EAPs and understand that EAP-TLS is the better method of authentication due to the use of client and server certificates.
However I'm incredibly confused about how a new device is meant to acquire a client certificate without being on the network it needs to get the certificate from?
I've set up a RADIUS server on Windows server, however I understand that non-domain joined devices cannot use it? But of course you can't join a new domain to the network if you can't actually connect to the network!
Really confused, though I could of course be misunderstanding something.