My security team have tasked me with finding an authentication mechanism similar to EAP-TLS that also uses User ID's and Passwords.

EAP-Fast would fit the bill but we don't want to run a PAC deployment alongside our PKI infrastructure.

I was originally going to go with PEAP-MSCHAPv2, but the certificate used is a server certificate and the security teams requirement is for a client certificate (individually revocable) and optionally a server certificate (for mutual authentication).

I really dont want to go down the VPN route either.

Does anyone know of an EAP type that fits the bill?