I'm in the very very very early stages of exploring the use of iPads here. All company-owned computers get on our WiFi via 802.1x using AD-issued computer certificates when they join Active Directory (via ethernet). How would we do this with iPads and other iOS devices?
How are you getting your iOS devices on your 802.1x protected WiFi?
According to Microsoft's documentation your Network Devices Enrollment Services (NDS/NDES/whatever) should be a separate server from your Active Directory Certificate Services server.
Before you get too far, figure out what your RADIUS servers are expecting in the common name and Subject Alternative Name. You should be able to look at the existing certificate in your Windows devices to see this information. You need to know this. When Windows request a certificate from ADCS, the Windows client provides all this information in the certificate request. OS X and iOS on the other hand do not do this, so you need to create a certificate template for them and build the needed information from Active Directory information.
In order to create custom templates in Active Directory Certificate Services, ADCS needs to be running on Server 2008 Enterprise or higher. It will not work on Server 2008 Standard or Server 2008 R2 Standard. There is no Enterprise edition of Server 2012/2012 R2, to Server 2012/2012R2 Standard will do.
A full write up on how to get it all working is perpetually on my todo list, I've even started it a couple times, but this TechNet Blog was my starting point for getting it all working.
Once working though it is really slick. I was doing 1:1/BYOD so users would do all the enrollment. If you're using the Device Enrollment Program even better, users will get dumped to enrollment automatically. They just log in under their AD account and enroll their device and JAMF takes care of the certificate requests.
When you're using user certificates devices just hop on Wi-Fi (authenticated as the end user) and end users don't get their accounts locked out when they change their Active Directory password, if you're really ambitions you can reconfigure IIS on your Exchange Client Access servers, add an Active Sync profile that uses certificate authentication, and get a nice two for one bonus. The two biggest causes of AD account lockouts (Wrong 802.1x Wi-Fi password, wrong ActiveSync password) are suddenly gone, and no saved Active Directory passwords on devices.
I've been reading about SCEP and NDES, but I think the part that confuses me is how do you actually GET the certificate? You need a certificate to get on the 802.1x network, but you can't get the certificate unless you're already on the network.
That depends on how you are setting up your devices. If you are propositioning them with Apple Configurator the computer running Apple Configurator should be on the network.
If you want to do over the air, you would have to create a limited enrollment network or make your JSS available to the public Internet to enroll via mobile data. The device you are enrolling only needs to communicate with the JSS, not ADCS and NDES. The JSS requests the certificate and pushes the certificate in the device payload.