Pick your EAP method based on your infrastructure and security needs:
If you have a PKI and can deploy client certificates, use EAP-TLS. It provides mutual authentication and the strongest security. No passwords to steal.
If you lack client certificates but have a server certificate, PEAP works well. Users authenticate with existing directory credentials. Deploy the server certificate to clients to prevent man-in-the-middle attacks.
Avoid EAP-MD entirely. It sends password hashes without encryption and has no server authentication. Attackers can capture credentials easily.