Greets - I've been tasked with rolling over some of our *pple *pads which were perfectly happy with EAP-TLS and and an FR3 service to Win10 PC supplicants. Admittedly, the recent releases of ios have EAP-TLS as a manual choice, and many of my commercial network friends advocate EAP-TTLS instead as most of their supplicants are people who BYOD and are thus user authenticated against a single huge network. For my instance, I want to stay with machine auth; the devices may roam between different smaller and independent networks (often without my direct involvement which is ok), but I'd rather not have individual certs and credentials for every supplicant that I would have to replicate to each remote site. The convenience of manually installing a certificate then handing off the device to others to deploy actually is the better path for me. Bulking all the supplicants into a single username/pwd is little different than wpa2-personal wherein eventually someone will write down the credential and leak it to others. With me having to manually install a certificate (ok, fine, a "Really, really long and difficult password file"), at least there is mitigation of the "password on a post-it" problem. The control over all the supplicants coming across my desk for a certificate install is fine and preferred; once installed using the same process, those devices then fan out and deploy to the field through whatever path they need to take. It would be arduous to deal with independent creds and mac address recording, then deploy those to field sites, and then keep updating as the supplicants potentially move around from site to site. Having attempted WinXP/Vista/7/8.1 with the xpextensions fix but never actually having success with it a long time ago, I was trying to find recent tutorials (written preferably in 2019 at least) that walked through a path of FR3, EAP-TLS and Win10. I have not really been successful. Even the pointers to deployingradius.com didn't pan out, (site seems to have been thinned of late) and I am of the belief through some other research that EAP-TLS is becoming less useful and EAP-TTLS is getting the preferential treatment despite apparently EAP-TTLS under certain conditions being ranked as "less secure" (PAP-leading, for example). I do recall a very in depth slide show a bit ago discussing that topic. Does anyone have an FR3/EAP-[T]TLS/Win10 tutorial that is tested functional that they would be willing to point to? If TTLS, is there a practice that would replicate the points above (the difficult to copy credential aspect in particular) of TLS? Cert generation would preferably be via openssl and FR3's scripting. Replicating certs to the remote sites is already part of my existing workflow. And of course, the great opinion request - is EAP-TLS under FR3 against Win10 a lost proposition? One specific protocol and its traditional implementation may not be the only option here; out of the box thinking is encouraged, so suggest away. My fully functional FR3 instances include Debian9, Cisco AP's under EAP-TLS, Cisco switchgear and the aforementioned ipads/android devices. (To date all my win PCs are hardwired....) I was literally just about to try one other tutorial I googled, and as I went to reach for the POE supply for my AP, it seems to have gone for a walk itself...might be trying to tell me something.... Kindest regards, Ted.