Hello, we are using Dot1X with PEAP and certificates issued by our private CA. 
Authentication process is set up with computer auth and user re-auth (computers and users groups have their own VLANs). 
Everything is working smoothly, but some (few) users have more private certs from another issuers (Banks and so on). 

Is it possible to somehow configure Windows client to choose certificate from our private CA for transparent authentication via EAP? Or is it possible to configure private certificate priorities or workaround this problem with OID any other way?
Any ideas are welcome. 
Regards, Martin

Hi fangy_cz,

The main issue is to configure the certificate for the EAP ,right ?

Here is a link for reference :
Configure Wireless Clients running Windows 7 and Windows Vista for EAP-TLS Authentication
https://msdn.microsoft.com/en-us/library/dd759246.aspx?f=255&MSPPError=-2147217396

Here is an example ,please pay attention to the certificate part and it may be more clear for reference.
Wireless - Manual Configuration for Windows 7
https://answers.uchicago.edu/page.php?id=16377
NOTE: This response contains a reference to a third party World Wide Web site. Microsoft is providing this information as a convenience to you. Microsoft does not control these sites and has not tested any software or information found on these sites.

Best regards

No, the main problem is to configure a client to select proper one.  
  
Let's imagine, you have a certificate from private CA and with this certificate authentication to wired or wireless segments of your network works fine. But then u will have a new application from 3rd party (any banking system) and for authentication to logon into this system you will have another private certificate from 3rd party.   
  
In this situation when the user attempts to logon into your segment, the client will use certificate from the 3rd party which is of course not trusted for accessing these networks.  
  
My question is, how to, when im using SSO, configure client to choose a proper client certs. For example just from our private CA.

From Wired-Autoconfig log in these clients. And these behavior happens only in client with 3rd party client certs.

Information	4/14/2015 9:25:11 AM	Wired-AutoConfig	15505	None
Wired 802.1X Authentication succeeded.
	Network Adapter: Realtek PCIe GBE Family Controller
	Interface GUID: {b04314ac-6f05-43f1-bc13-9a86d2d45a7b}
	Peer Address: 34A84E28510A
	Local Address: 7845C4274F7E
	Connection ID: 0x2
	Identity: host/P112.local.domain
	User: -
	Domain: -
	Reason: 0x0
	Reason Text: Operace probhla spn. (in czech something like success operation)
	Error Code: 0x0

Information	4/14/2015 9:26:05 AM	Wired-AutoConfig	13021	None
A pre-logon connection was not attempted.

Result: The operational criteria were not met.
Reason: An unspecified EAP error has occurred.

Information	4/14/2015 9:28:08 AM	Wired-AutoConfig	15504	None
Wired 802.1X Authentication was restarted.

	Network Adapter: Realtek PCIe GBE Family Controller
	Interface GUID: {b04314ac-6f05-43f1-bc13-9a86d2d45a7b}
	Connection ID: 0x2
	Restart Reason: Uivatel Onex byl zmnn. (Onex user was changed)

Information	4/14/2015 9:28:39 AM	Wired-AutoConfig	15504	None
Wired 802.1X Authentication was restarted.

	Network Adapter: Realtek PCIe GBE Family Controller
	Interface GUID: {b04314ac-6f05-43f1-bc13-9a86d2d45a7b}
	Connection ID: 0x2
	Restart Reason: Druh strana byla inicializovna (Second side was inicialized)

Error	4/14/2015 9:33:08 AM	Wired-AutoConfig	15514	None
Wired 802.1X Authentication failed.

	Network Adapter: Realtek PCIe GBE Family Controller
	Interface GUID: {b04314ac-6f05-43f1-bc13-9a86d2d45a7b}
	Peer Address: 34A84E28510A
	Local Address: 7845C4274F7E
	Connection ID: 0x2
	Identity: -
	User: -
	Domain: -
	Reason: 0x70004
	Reason Text: S pestala odpovdat na dosti o oven. (Network stops responding on authentication requests)
	Error Code: 0x0

Network switch is configured to try for MAC authentication bypass when client is not responding (is not capable) Dot1x. NPS servers doesnt recieve any RADIUS packets from these clients after user logon. 

So i thing this is some EAP problem on client and client is not capable to send EAPOL packets after user logon.