You can use third-party CAs to issue certificates for EAP-TLS authentication as long as the certificates installed can be validated and have the appropriate properties.
For the computer certificates installed on the authenticating servers (either the VPN servers or the Internet Authentication Service [IAS] servers), the following must be true:
They must be installed in the Local Computer certificate store.
They must have a corresponding private key.
The cryptographic service provider for the certificates supports Secure Channel (Schannel). If not, the certificate cannot be used and it is not selectable from the properties of the Smart Card Or Other Certificate EAP type on the Authentication tab in the Properties dialog box of a profile for a remote access policy.
They must contain the Server Authentication Enhanced Key Usage (EKU). An EKU is identified using an object identifier (OID). The OID for Server Authentication is 1.3.6.1.5.5.7.3.1.
They must contain the fully qualified domain name (FQDN) of the computer account of the authenticating server in the Subject Alternative Name field of the certificate.
Additionally, the root CA certificates of the CAs that issued the VPN client user certificates must be installed in the Certificates (Local Computer)\Trusted Root Certification Authorities certificate store of the authenticating servers.
For the user certificates installed on VPN client computers, the following must be true:
They must have a corresponding private key.
They must contain the Client Authentication EKU (OID 1.3.6.1.5.5.7.3.2).
They must be installed in the Current User certificate store.
They must contain the user principal name (UPN) of the user account in the Subject Alternative Name field of the certificate.
Additionally, the root CA certificates of the CAs that issued the IAS server computer certificates must be installed in the Certificates (Local Computer)/Trusted Root Certification Authorities store of the VPN client computers.