1) For Windows, the challenge response can be done using a domain user account or a computer account depending on the authentication mode.
2) In the default configuration of W10 the PEAP properties have the setting
Tell user if the server’s identity can’t be verified.
Meaning that the user will be prompted to verify the certificate.
Don’t ask user to authorize new servers or trusted CAsis setup it is not possible to retrieve the challenge response.
If the server certificate can be impersonnated, and there is a client certificate, it is possible to patch hostapd in order to not verify the validity of the client certificate. https://versprite.com/blog/application-security/eap-tls-wireless-infrastructure/
eaphammer --eap-spray -I <wlan0> -e <SSID> --user-list <userlist.txt> --password <password>