Windows 7 Client Configuration with User Certificates

The configuration is basically the same as for machine certificates.

The only difference is in the Security tab of the VPN Properties menu, just select EAP with certificate to use user certificates
for authentication:

Then in the Properties window select if you want to use smart cards or an installed user certificate:

Also, to avoid any warnings regarding the validation of the authentication server make sure to select the trusted CA certificate
that issued to server certificate in the list in the dialog above. The server's name can also be listed in the text box above.

This refers to the EAP-TLS authentication endpoint not the IKEv2 endpoint, which is authenticated with regular public key
authentication before the EAP-TLS exchange is initiated. The endpoints are the same if you use the eap-tls plugin but are
not if you use the eap-radius plugin and delegate the client authentication to a separate RADIUS server.