Start Wireless says validating identity

Wireless says validating identity

I would take that to mean that you cannot use a direct IP address to get at your radius server, less the certificate not be able to validate.

We are perfectly willing to buy a certificate from Verisign, Thwarte, etc if it will help but have tried our Comodo wildcard SSL certificate which hasn't fixed it.

These machines belong to the end users so we can't easily control settings with group policy or registry hacks.

This is from the Free RADIUS documentation but I expect it is equal valid for the Microsoft implementation: In general, you should use self-signed certificates for 802.1x (EAP) authentication.

When you list root CAs from other organizations in the "CA_file", you permit them to masquerade as you, to authenticate your users, and to issue client certificates for EAP-TLS. It is easy enough to distribute certificates using GPOs. Baring that, do your own star certificate (that is signed by a Root CA), you could sign your RADIUS server's certificate with?

The disadvantages of the first two options is that it opens your 802.1X scheme up to Mi TM attacks.

I could conceivably build my own RADIUS server and intercept your user's AD credentials.

From a security standpoint the best option is setup a captive portal.