Windows wpa_supplicant EAP-TLS and PEAP with freeradius

[Vieri]

Hi,

I'm running Freeradius on a Linux server and have Windows XP clients with wpa_supplicant.

My goal is to allow the Windows clients to access a wireless network only if they meet the following requirements (both of them):

* client certificate
* authorized username/password

Could I need EAP-TLS + PEAP (both at once)? Is this possible?

I setup EAP-TLS and it seems to work with the following config file:

ctrl_interface=

network={
	ssid="WIFI1"
	proto=WPA
	key_mgmt=WPA-EAP
	pairwise=CCMP
	eap=TLS
	identity="anything"
	ca_cert="D:\cacert.pem"
	private_key="D:\d831.p12"
}

(as a side note, I don't know why but it doesn't work with proto=WPA2; with the latter, it doesn't go past the AP and thus does not reach the RADIUS server)

I also setup PEAP to work with a client certificate.
For that, I defined the following in the Freeradius server (/etc/raddb/sites-available/default):

authorize {
        preprocess
        update control {
               EAP-TLS-Require-Client-Cert = Yes
        }

and the wpa_supplicant config file is as follows:

ctrl_interface=

network={
	ssid="WIFI1"
	proto=WPA
	key_mgmt=WPA-EAP
	pairwise=CCMP
	eap=PEAP
	private_key="D:\d831.p12"
}

This requires the Windows client to send a certificate.

Can this method be considered "safe enough"? (is there a better setup?)
As stated before, I need to *require* both client certificates and valid username/passwords. 
I suppose I can revoke the d831.p12 certificate in the above example, if/when considered necessary.

Any suggestions?

Thanks,

Vieri