EAP-TLS for Non-Windows Clients

I have the following configuration:

- Server 2003 R2 SP2 Enterprise CA which is our AD
- IAS Server configured with Remote Access Policies configured for EAP
- Windows XP Clients with root certificate installed and using computer
certificates that are automatically enrolled (registry changes implemented as
referred in [1])

All Windows XP and Vista based clients can connect properly to the EAP-TLS
wireless network.

I'm attempting to configure Active Directory bound Mac clients taking
instructions from [2] and porting them for use with a Microsoft CA. This
process involves the following:

- Creating a CSR from the Mac
- Visting the CA web interface (as an admin), choosing 'Advanced request',
then using the CSR with various templates.
- Exporting the cert
- Recompiling the cert on the Mac to join the private key and certificate
- Installing into the Keychain

When attempting to authenticate, I receive the following result in our
RADIUS applog:

User hostname.domainname.com was denied access.
Full-Qualified-User-Name = DOMAIN\hostname.domain.com
--Other RADIUS Data
Reason: The specified user account does not exist

When Windows clients work, they resolve to host/hostname.domainname.com and
authenticate okay.

I have tried the following approches to no success:

- Generating CSR and using certificate with a subject of
host/hostname.domainname.com
- Generating an SPN for the computer with the proper name
- Rewriting the User-Name in RADIUS using Connection Request Policies

I think the problem boils down to the lack of association between the CSR
(and cert) and the computer account. Has anybody been able to make
non-Windows (or non domain joined clients) work with EAP-TLS? Any advice?

Thanks in advance for your help.

References:
[1]
http://technet2.microsoft.com/windo...c951-48ce-8235-02f4ed8e74921033.mspx?mfr=true
[2] http://www.felipe-alfaro.org/blog/2006/01/29/wpa2-eap-tls/