This is not exactly a freeradius configuration related query, but considering the deployment related exposure of all of us this seems to be the best place. 

So here it goes..

We are trying to implement a 802.1x based framework for user authentication for public hotspots. To go about authentication with different hotspots  we are using EAP-TLS. The user registers with us then downloads an installer containing the certificates and x-supplicant, then installs them. All the hotspots are configured to authenticate users with our server and the server is a  generic freeradius configured for EAP-TLS authentication. For now certificates are issued by the same server which runs freeradius but we plan to have them on different server.

The system works perfectly in our test environment(2-3 hotspots with 10 or so users) however I read somewhere that the dissemination of certificates and managing the users in PKI becomes complicated as the number of users increase.

So, the question which I want to ask is how has been everyone's experience with EAP-TLS deployment and is there something which we need to plan ahead for. 

Sincerely,

Kumar Mrinal