Right now you are telling your clients (or supplicants in 802.1X-ese) to verify the the trust path of your RADIUS server's certificate.
I don't know how you generated your public and private key-pair for your RADIUS server but generally speaking it will either be self-signed or signed by a certificate authority.
This is a classic bring-your-own-device network, think university halls of residence.
The user will be logged in locally when they click connect.
We are perfectly willing to buy a certificate from Verisign, Thwarte, etc if it will help but have tried our Comodo wildcard SSL certificate which hasn't fixed it.
These machines belong to the end users so we can't easily control settings with group policy or registry hacks.
In turn the signing certificate authority's public key will be distributed to clients, either through GPOs, Active Directory Certificate Services or it was included by Microsoft in the Trusted Root Certification Authority repository.
In order to enable the client to connect we have to add the network manually and un-check the "Validate server certificate" as shown in the screenshot below.
Does anyone know of a way to avoid having to do this?
Ideally they should then provide their network credentials at connection time and be seamlessly connected.
It appears that the Subject Alt Name entry of the certificate must be set to the DNS used to reach the radius server.
I would take that to mean that you cannot use a direct IP address to get at your radius server, less the certificate not be able to validate.
technet.microsoft.com/en-us/library/cc731363(v=ws.10)You need to distribute your RADIUS server's certificate (if it was self-signed) or the certificate of the Certificate Authority that signed it to your clients.