We have layer 2, 802.1x encapsulating MS-CHAPv2 in a Protected EAP session (PEAP) to a Microsoft IAS (RADIUS) server which in turn provides Active Directory challenge response to both user and hardware authentication. We have WPA-TKIP configured to re-key using 802.1x every 900 seconds.

We have a server certificate instead of individual client certificates.

Cheers,