is it possible to configure "Identity Privacy" with PEAP in NAC? This is possible with Microsoft NPS and is an option in common OS like Winows or Android. The key point is that the outer method does not include the "real" username. So if anyone captures the radius traffic the username is not sent in plaintext.
As this is feature is possible with freeRadius I expect it should also be possible with NAC?