23 Nov
2015
23 Nov
'15
8:28 a.m.
Thanks for all the replies so far. I already figured this wasn’t gonna work without touching the clients.
What version of Windows? Mostly Windows 8.1 and 10
Windows 7 and earlier can't do EAP-TTLS/PAP natively. I don’t thing we have Windows 7 clients anymore.
Pretty much the only options available by default on both are EAP-TLS or PEAP/EAP-MSCHAPv2. The latter is ruled out if you have passwords in SHA1, so you're just down to certificates. Which requires provisioning on the clients. Right now it’s down to using our Active Directory as backend with MSCHAPv2 or installing the EAP-GTC plugin on all Windows clients via GPO.
Again, thanks for the feedback, this matter is resolved.