Hi,
So EAP-TTLS windows 7 doesn't support out of the box, right?
correct. Windows 8 and above...
What other options are there? My feeling the second best option is to use client certificates. But would I still be able to use openldap in the background?
yes....if the client certs have identifiable attributes in them that can be checked against your LDAP - eg username is embedded in the CommonName..or use one of the other cert fields for options in your LDAP etc
What about revocation lists? How do I take care of them?
CRL or OSCP - I'd go down the OSCP route myself...
Maybe there's another way. Our ldap also stores ntlm passwords for samba.
in that case, use that attribute for the authentication....once the FreeRADIUS server has read that, then you can use EAP-PEAP/MSCHAPv2 and your life will be simpler alan