I found this note at the bottom of this Microsoft PEAP article http://technet.microsoft.com/en-us/library/cc754179.aspx
"When you deploy both PEAP and EAP unprotected by PEAP, do not use the same EAP authentication type with and without PEAP. For example, if you deploy PEAP-TLS, do not also deploy EAP-TLS without PEAP. Deploying authentication methods with the same type creates a security vulnerability."
Does anybody know any specifics about the vulnerability they're referring to? I want to transition most of my clients from EAP-TLS to PEAP-TLS. I was planning to select both in the radius NPS profile, at least until all the clients are reconfigured for PEAP-TLS, and I was probably going to leave EAP-TLS on for one network camera that won't do PEAP. After reading about a possible vulnerability, I'm thinking this is a bad idea, but I'm hoping to learn more and possibly find a workaround that won't expose us to whatever vulnerability they're talking about.