Quoting "King, Michael" <MKing@bridgew.edu>:
You configure your client to use TTLS or PEAP, and upon connecting to the network, they will be prompted to enter username and password. If they don't have one, they don't get on. If they do have one, they get on.
This also solves your problem of having to give out a cert to each client as both of these only require a server side cert. You could then purchase a certificate from a trusted CA and that would already be in their browsers list of Trusted CA's. Here are a couple of howto's the first is for a Linux supplicant and the second is for using a Windows supplicant. What's a supplicant? The client. http://tldp.org/HOWTO/html_single/8021X-HOWTO/ http://text.dslreports.com/forum/remark,9286052~mode=flat Hope that helps, Jon