You can do EAP PEAP which is with mschap v2
You need to buy a Cert for the NPS to make the EAP PEAP work
I dont have a list of the devices that support EAP PEAP with mschapv2....
You will need to investigate that yourselft, because i dont think the neither the TAC will asnwer you that as is not aruba related.
But as far i know IPADs, macs, blackberry support EAP PEAP(not sure if all models...)
Now asnwering your questions
Yes even with the cert they can create a fake AP and try to steal passwords, if you configure the EAP PEAP client correctly then you make it really hard for the attacker.
For example when you configure EAP PEAP client on windows there is a field that you put which server if he client is not connecting to that server specifically then he wont send any user or password... Does this field exist on all the devices? well no... you will have to investigate that...
Now the quetion i got for you
Do they already use their own devices from home? to access the email? with active sync? and you just want to add it so when they bring it to the corporate they can access it?
Because really if its that then you can create an SSID use the firewall policies and put to that SSID an specific role which just got access to the internet with port http, https, and to the server with just port https... and restrict everything else...
do they can steal password when the device is connecting to the exchange? well i dont know... im not a server expert neither a exchange expert to asnwer that.... you will need to ask on microsoft forum how secure is doing this...
Now if you afraid they will connnect to another AP or something you can use WIPS licesse and configure that the clients cannot connect to ther APS that are not from the Aruba APS... it can also detect Fake APS and contain them....(do you have this license?)
Now you can create another SSID(just for this devices) maybe WPA2 PSK(yeah they can crack it with a offline dictionary attack) but if they get in they will have access to internet also to the exchange server but just by port 443(which is the same access they do when you people from out of the company checking email) this is Exchange security and i dont know about that you need to ask on microsoft forum i recommend you technet. You can add it captive portal authentication but then they can do a fake ap a fake captive portal and get the username a password to get it,, but even if they get in you will have your policy on your aruba firewall set that they just can go to internet and to the exchange server through the port 443.(You need PENF license for this, do you have it?)
Now if you want security for real, because it seems in your company they want security but they dont want to invest... you need BYOD or EAP TLS And configure it manually, manually putting the cert on each of these devices( do ALL the deivces support EAP TLS i don tknow... you can open a support case and ask int he tac). or you can just google it.
You can tell the manager that if they want security then, they will need to get BYOD. Yes you can configure EAP PEAP which i already answered your questions or at least the ones i could up.
What do i recomend? BYOD all the other things are just work arounds(when we are talking about bringing a non corporate device to the corporate).... like a said EAP PEAP(mschapv2) Can be secure if you got all the fields to configure it correctly. For example
Let talk about the iphone
The iphone does not have the options to specify the type of authentication to use, they simply just aren't there. The iphone also doesn't allow for a preconfigured certificates meaning they can't be tied to a legit RADIUS server. This flaw makes them susceptible even in the worst case scenario being certificate validation is enabled tied to a specific radius server. Now this can happen on other devices... not just with iphones
Anyways i hope i was able to asnwer most of your questions.
Here i also sned you a link of a guide of how to correctly configure EAP PEAP
https://community.arubanetworks.com/t5/Authentication-and-Access/Correctly-configure-EAP-PEAP-Windows-client/m-p/43398