EAP-TTLS is quite widely supported but you would need to test before going into production with that. I'm not sure about MFA however keep in mind that MFA is not something you want to enforce for wireless and wired network access since every time you roam you may have to approve your connection of you're not doing a fast roam. That would be a usability nightmare 😉 For VPN MFA is certainly a must have but the config in ISE for VPN is not something I have tried yet.
... View more