Hi,
I imagine if there were a better option with similar properties and ties to central authentication, then we would all flock to it.
yep. we would. the best is stil EAP-TLS - as you say, thats got big setup overheads... not as nice and easy as PEAP for quick get up and going. however, there are other ways of doing this you COULD proxy the request to a farm of NPS servers - they talk native LSA (none of the nasty samba stuff) - the hit then is purely on the NPS box...but that could blow up if too many requests are in proxy-land you could investigate using SAMBA 4 locally on the FreeRADIUS box - with a local AD clone you dont have the nasty inter-process rubbish....ntlm_auth etc is all local you could investigate using SAMBA 4 tools locally - ntlm_auth has the ability (latest versions) to use all servers in the AD farm rather than just sticking to the current one its chosen (and overloading it!) alan