Nikesh,
On the Aruba support Website, under Documentation -> Software -> ClearPass Policy Manager (eTIPS) -> Technotes (https://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/EntryId/7961/Default.aspx), there is an excellent document 'CPPM - Certificates 101 Technote V1.0 .pdf' that addresses the required certificates. This document is created for ClearPass, however because ClearPass implements open standards, the same certificate requirements apply to any 802.1x/RADIUS deployment.
In a very quick summary:
- For convenience, Windows Username/password can be used, this is called EAP-MSCHAPv2, is cryptographically broken (so should be avoided if reasonally be possible) and requires just a certificate on the RADIUS server.
- For best security, client certificates are used to authenticate the client, this is called EAP-TLS. In this case, in addition to the server certificate on the RADIUS, you will need a client certificate on each client. The distribution of the client certficate makes it more difficult to deploy.
The Certificate 101 guide will explain this in more depth.
Herman