Hi,
Lol just actually read some stuff on WPA and learnt abit more about EAP. I realise now that TTLS does not require client certificates like I previously thought only the server. Apologies for this miss understanding. Although I do realise now that SecureW2 would be required to give my Windows users the ability to access this. Although this may not be to difficult to distribute to them I would have to look into these possible issues.
yep - your RADIUS server could be signed by a global CA (verisign, globalsign etc) so that you dont need to worry about getting your CA onto random laptops etc (I still say a closed-loop system where your RADIUS server is verified by your own CA may lead to more secure system). for dealing with plain text passwords, EAP-TTLS gives you easier admin time - though more effort for the client - SecureW2 and OpenSEA are choices... alan