In EAP-Tunneled Transport Layer Security (EAP-TTLS), the server authenticates itself with certificate. The client can optionally use certificate as well. Unfortunately, this does not have native support on Windows and we need to use third party utilities.
There are multiple inner authentication protocol options we can use with EAP-TTLS. The most common one is again MSCHAP-v2.
As Windows does not natively support EAP-TTLS, we will use OS X in this demonstration.