Authentication Protocol in Freeradius

Question

I want to setup a radius server for my college of around 2000 students and a hundred faculties. I am familiar with freeradius+MySQL but never deployed it except for in on my laptop.

1. Which Authentication protocol should I Choose if my Considerations are
   Easy for Users to Connect to NAS, Easy to Setup for the Users.(w/o 3rd party softwares).
2. Can I use WPA2-personal?
3. Is Certificates necessary and if so how can I implement it?
4. Is there any particular EAP flavor that is supported by both Windows and Linux?

Answer 1

1. The only protocols which match your requirements are EAP-TLS and EAP-PEAP. They are pretty much universally supported by all supplicants. EAP-PEAP uses username/password as credentials whereas EAP-TLS uses client certificates.

2. No. you should use WPA2-Enterprise.

3. No. Not if you use EAP-PEAP.

4. EAP-PEAP and EAP-TLS are supported by both.

Note: For EAP-PEAP you either need to have the NT-Password hash of the user, the user's password in cleartext, or an Active directory server which you can auth against.