Migrating off of LEAP is a good idea since it has proven susceptible to dictionary attacks.
I've used PEAP, native Windows XP supplicant, and Active Directory authentication successfully. Remember, PEAP is specifically for authenticating clients without the need for client certs.
If you want to use existing client certs, that is called EAP-TLS, where certs exist on both the auth server and the client. To do this, you need to give your ACS servers a certificate from the same root CA you use for your client certs. Cisco has a document with a procedure for installling certs on ACS. You should also sync the two servers (if they are redundant) to the 3.3 version (latest).
This way, the clients will trust the cert ACS presents during the TLS handshake and ACS will be able to trust the certs presented by the client.
Hope that helps.
Eric Young
SY&A LLC
IT Consulting
650-368-1506