Hi,
if you want less secure solution then you can use PEAP or EAP-TTLS (depending on client support requirements) as both can be used without installing certificates (your RADIUS server simply has to have a cert signed by a CA thats already trusted by the client - ie one that costs money)
Well the clients still need to mark that particular CA as the trusted one; so manual interaction is still necessary. He could go for EAP-pwd as it works completely without any kind of certificate; but it means he'll have to install support for the EAP type itself on Windows. Of course there are tools which handle the install CA / mark CA as trusted / install EAP type things in an automated way, e.g. https://802.1x-config.org . Greetings, Stefan Winter -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 PGP key updated to 4096 Bit RSA - I will encrypt all mails if the recipient's key is known to me http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66