I'm in the middle of using an NPS server in server 2012 to implement NAP on my network, I've just installed a CA on my DC and i plan on using the PEAP with certificates to use as the authentication method that my users are going to use to authenticate themselves.
Regarding PEAP with EAP-MS-CHAP v2 and EAP-TLS, i'm kind of understanding the difference but i dont think i'm quite fully there yet.
My understanding with the MsCHAPv2 one is that the CA does not give out a certificate to the user and only asks the user to trust it along with negotiating the channel then. The TLS version though does give out a certificate on both the server and client and thats how authentication happens. BUT what is the encrypted channel encrypted with? Is it the contents of the certificate? So the TLS connection is encrypted using the public key of the certificate and decrypted using its private key on the server? What is used for encryption, is it AES and where can i specify this?
If not then what are the certificates used for then in regards to all the encryption and keys that are on them? It's just a bit confusing but when i get some clarification on it, it'll click.


Cheers