Controllerless Networks

I've been reading other community posts and using advice from Joseph and Tim but I can't quite seem to achieve my goal of using the internal RADIUS server on a single RAP-109 along with a CA issued certificate so that my clients don't receive the un-trusted security message (iOS) or the Windows security alert (Windows 7 workgroup machine screenshot attached) upon connecting to the WPA-2 Enterprise secured network.

Must you always pre-install a certificate (either manually or Group Policy, etc.) on all your clients before connecting them to 802.1X network in order to avoid these alerts or is it possible to somehow use the default root CA's in the OS or device trust store to verify the IAP's certificate?

To avoid it completely in Windows, you would push a the CA certificate to your client's trusted store.  Also remember that sometimes you need to also push the intermediate/subordinate CA certificates (the full chain) to your client so that they trust the issued certificate.  Unless the client has the full chain (the subordinate and the CA certificate) in its store, it will not trust the CA that issued the Server Certificate.  The majority of CA certificates are intermediate and require the CA cert and the CA intermediate certificate.  Just because a server certificate is issued by Comodo and your client trusts a certificate by Comodo, does not mean it is the same CA certificate.  You need to compare the certificates to make sure they are the same and if they are not, make sure you push the CA and the subordinate/intermediate certificate to your client's Trusted CA store via GPO.