I understand you cannot use EAP-TLS for public wifi because the clients will not have their own certificates, therefore what EAP do you use, so that mutual authentication can take place?
12 Answers
I'm assuming that you want clients to connect with passwords. You want to use either PEAP or EAP-TTLS with MSCHAPv2 as the inner authentication method. You will probably still need to provide clients with a CA certificate to verify the server with.
PEAP with MSCHAPv2 is the most compatible. Except Windows desktops, all other devices directly connect and prompt you for the username / password. You don't need a trusted server certificate; it can be self signed.
On Windows, you will need to manually create the connection and disable server certificate trust verification, or get a certificate from a trusted CA. This is not the same trust store as the browser and has a much more limited set of root CAs.
