We will primarily be authenticating Windows 7 machines (and a handful of WIndows 8 machines).

Other than that, there may be some iPhones, iPads and Android phones that will connected to this wireless AP.

I was just wondering if there was a way to bypass having to use ntlm and use something more secure.

I don't mind using certificates as long as it will bypass having to use ntlm.

From my understanding, using EAP-TLS, I can achieve not having to use ntlm, right?