EAP-TLS on the device side has 3 options:

• Computer Certificate
• User Certificate
• Computer or User certificate

None of them will require a user/password to be entered. That being said the user still needs to login to Windows/ MACOS to trigger the user certificate authentication.

EAP-TEAP allows you to do outer and inner authentication and then make the decision based on both for example:

If Computer Certificate give limited access to allow for the user certificate to be downloaded.

if user certificate only give BYOD access

if both user and computer certificate give corporate access.

With EAP-TEAP if you have to you can configure the outer and inner EAP authentications differently, one using MSCHAPv2 and one via TLS but it is not the recommended way to go foward.

Now for the customer wanting to also have user/password, they are aware that the method to do just that EAP-PEAP with MSHAPv2 is being depercated by Microsoft and they are moving to certificate authentication. https://learn.microsoft.com/en-us/windows/security/identity-protection/credential-guard/considerations-known-issues 

The user/ computer certificate is the most secure authentication currently available to windows. The misconception is because the user doesn’t authenticate with a username/ password its not secure. The user still logs into the laptop (PIN, Password, FaceID etc) its just the username/password are not transmitted to the radius server.

You can still do verifications against AD, to confirm if user is valid, group membership etc. And when the certificates are generated you can also prevent them from being exported.

You compare this to a password, where its written on a piece of paper, used against every website, in some cases easily guessed.