After much poking around man pages for openssl.cnf and the configurations on the various iPhones and iPods at home, I have finally figured out the answer to the question I posed.
My solution achieves the following: (a) username/password-less logins in a secure manner using EAP-TLS via WPA2-enterprise, and (b) (maybe a teeny bit stronger security) password-less but username required login in a secure manner via WPA2-enterprise. The option (b) is really by uncommenting check_cert_cn in the eap.conf file, and requiring the username (there are a number of name attributes, be a little careful) is sent. A potential hacker could have your certificate, but she possibly does not have your username, but this is not exactly a security measure for a hacker who knows her way around certificates and WPA2 enterprise.
In a gist, the procedure is that you will change the client.cnf file for each client you want to add into the network and regenerate the keys using make client.pem, which produces the client.p12 file which you should download onto your client machines--this means each client gets its own key for the encryption, which implies one client in the network cannot spy on another's packets via promiscuous mode. If you have any issues during the creation of the client.pems: make client.pem bombs for any reason, then pay special attention to serial and serial.old, and index.txt and index.txt.old: specifically, mv serial.old serial and mv index.txt.old index.txt, and redo the make client.pem after the problem is fixed (e.g., incorrect cnf file due to typos--most likely due to the fact that special characters are sometimes not permitted for the passwords in the client.cnf file--I would appreciate anyone reading this to point me to resources regarding the use of special characters in *.cnf files).
Now the details: Windows machines need a different procedure: For each Windows XP client, you will need to use the techniques mentioned in the README file in /etc/raddb/certs/. Next, you should follow the steps in "Step 1: Create Certificates: On the Windows XP client" in the FreeRadius howto, and connect using Step 4 of the same howto in the FreeRadius site.
For all machines, before you do the above for each client, you should change the client.cnf file for usernames and passwords for each of the clients. My cnf files changed really only touched the [ req ] section of the client.cnf file to change distinguished_name, input_password and output_password. Note that the following section should describe the name of the client described as the value for the distinguished_name attribute. For example, if you had distinguished_name = beeblebrox in the [ req ] section, then the following section will start as [beeblebrox ]. Here, you will configure the attributes accordingly boringly (same for most clients in your network, except the emailAddress, which will change for each client).
At the end of this process, you are done generating the *.p12 digital profiles/personal information exchange file for each client. This file contains a private key which the client will use for communication in the network. Now you have to install these digital profiles on to the clients.
Windows machines will take the procedure for installation of the certificates and the connection to the WPA2 enterprise network as already mentioned above. All the other machines need the *.p12 file that was created for them (it is convenient to name them per client: xp1.p12, xp2.p12, ios1.p12, ios2.p12, macosx1.p12 etc.) to connect to the RADIUS server. How do you download the *.p12 file onto the machines securely? For laptops, the problem is trivially solved by the use of removable media or if you are connected via ethernet to the host network, an scp of the file. For iPhones and other devices, it is a tiny bit tricky. I am not sure if using insecure email is the way to go, considering the fact the *.p12 file contains the private key to be used by the clients. Perhaps you digitally encrypt your email so it is OK. But I solved it by hosting the *.p12 files locally on a webserver and downloading them onto the IOS devices.
On the MAC, you can follow the steps provided in here but make sure you add the *.p12 file to the keychain on your MAC before you do so (see here). The 802.1x authentication in your WPA2 enterprise configurations (you may have to explicitly check TLS in the configuration).
On the IOS devices, you first download the *.p12 file which will let you add this certificate as a profile (download of the *.p12 file starts the process automatically). Then, you go to settings->WiFi->add your WPA2 enterprise network, and specify the SSID, and then change the mode to EAP-TLS. Once you do that, the Identity option appears, which, when you click, offers the *.p12 profile option. Check the option, and return to the screen. Depending on whether or not you have chosen total username/password-less login to the enterprise system, or password-less login, you may have to enter the username from the corresponding client.cnf file used to generate the *.p12 file. Once you click join, you are in!
I'd appreciate someone adding the plug for wireless access via linux.
I'll pipe in once I can talk more on the number of times I have to re-login etc.--I might have seen this problem on my IOS devices, but I have to check again.
