My first question for the list, to which I haven't been able to find a clear answer ever is : What EAP sub-types are the ones I should configure?
Nothing. Just don't touch anything in eap.conf and all supported eap types will work. If you generate certificates with scripts provided you don't even need to touch the tls section.
My requirements : * Be able to have many different types of clients supported (Windows XP, GNU/Linux wpa_supplicant/NM, mobile devices etc.). * Not to have to bother about a local CA or any type of PKI (i.e. not generate certificates for all users, just have them user their login/pass).
PEAP should be the protocol most clients will use.
Should I go with EAP-PEAP? Is that the "PEAPv0/EAP-MSCHAPv2" from the wiki?
Yes.
I also store md5 passwords in my LDAP server, is there any other simpler way to configure access using those instead of the LM/NT passwords? (my understanding is that... nope)
Correct. You can't use md5 passwords with mschap. http://deployingradius.com/documents/protocols/compatibility.html Ivan Kalik Kalik Informatika ISP