We do not want to have to go to digital certificates just yet as there is a good bit of support overhead and management we just cannot provide at this time.
I would say 90% of that is perceived overhead, not actual. Certificate deployment is pretty easy once you have the infrastructure. Even since XP days it's been just a few clicks to install personal certs.
If we agree that AD (EAP-PEAP-MSCHAPv2) is far from ideal, what other EAP types (outside of EAP-PEAP-TLS) do you recommend for end user authentication that is supported by native Windows, iOS, Android, and OSX clients?
There is none. You have PEAP and TLS, none of the other ubiquitously bundled ones provide the keying material required for WPA2-Enterprise. Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS development team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2