PEAP-TLS

I have a set of MBPs connecting to an Enterprise WiFi network using certificate-based EAP-TLS no problem. I have used the Apple Configurator for this. We use MS NPS as the Radius server.

After a vulnerability test it has been recommended that, while cert-based EAP-TLS is 'secure enough', we 'upgrade' to cert-based PEAP-TLS as we can further increase security using options such is 'Identity Privacy' and tunnelling the real authentication exchange over TLS. So this would be using an outer-identity of, say, 'anonymous@anonymous.local' and then an inner-identity using EAP-TLS. No MS-CHAP or passwords anywhere.

Regrettably this was very quick and easy to configure on our Windows devices using Group Policy and the NPS policies, but I am struggling to get this working on OSX.

I have all the certs and trust deployed as my devices are successfully using cert-based EAP-TLS. I can't find the right configuration in the Configurator, and the OSX GUI doesn't make any mention of PEAP at all.

Has anybody got this working? Cert-based PEAP-TLS (MS-PEAP I suppose) using only certificates?

Thanks.

D