What I mean with administrative cost is that you would bneed to generate all certificates in the CA and distribute them to users/machines.

Here and here you have a comparison on how to configuire EPAP and EAP-TLS on MS NPS.

HTH
-Jesus
*** Please rate helpful responses ***

Hi

 Certificate cost and it is expensive, very expensive depending on the size of the network. Of course, if you were to deploy the proper way, I mean, with a Certifier signing your certificates.

It is not easy to share with you the prices because this information is not shared on the Internet. Usually the prices are send to companies directly because envolves neogociation and particularities that each company may have.

 I always handled EAP TLS but from the technical perspecitve, I never had to buy it, but I know it cost. You can deploy your own certifier and generate CSR files but then, you need to sign this files with Government authorized companies like TrustSign for example.

Amazon share this information and you can get some idea about costs.

https://aws.amazon.com/certificate-manager/pricing/?nc1=h_ls 

" you mean to say when I will generate client certificate uses my own CA i have to pay cost for that client certificate ?"

No, the cert itself is just a file. You can create them and distribute with almost no cost.  But, each certificate must be sign for a third party certifier and that´s cost. 

"I have one CA server and 200 users where they are using client laptop with domain join and now i want 200 client certificate from my CA server how cost is involving here please tell me. "

 But, do you have a full certificate chain properly signed by a Third party certifier ?

You may want to see this link.

https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/certificate-requirements-eap-tls-peap 

This is related to how certificate system is built. It involves public and private keys, etc.  But, it also can be done different. If  the level of securiity you need can be attended with only a private CA, you can  handle it by itself and then the cost will be the minimum. Basically, work force for distribute and install. 

Assuming that you already have a Radius server

Cost -

1. If you don't have an existing CA, then you need to get a new CA. There are multiple vendors who provide private CA and you may have to do feasibility study and understand which vendor is suited for your environment and how it is going to cost you financially. Most orgs opt for Microsoft CA as this is free of cost if you have existing MS AD services.
2. Also another cost is configuring and managing the certificate authority and deploying certificates to clients,
3. if you have only domain joined PC's then MS GPO can push the certificates. But if not you have to consider the cost of manually installing the certificate or the cost for MDM to manage the non-domain devices.
4. Cost for reconfiguring the Radius server and it's support

Hardware-

1. Depends on what vendor you choose as CA, if you choose Microsoft depending on your requirement you might need few VM's running MS Server OS working as dedicated CA. So you need to consider the cost for software licenses of vm and os, if not vm then hardware cost along with other cost such as electricity etc.

EAP-TLS is somewhat complex compared to PEAP, from security pov we consider PEAP to be obsolete and as of now only EAP-TLS or EAP-TEAP (latest EAP mechanism, but client support is limited) to be secure. So whatever the cost will be if your org is security conscious then go with EAP-TLS. You can slowly migrate to EAP-TLS by creating a test SSID with EAP-TLS auth, test all the possible use cases and once ready for production rename the SSID and disable the PEAP SSID.