I've been reading other community posts and using advice from Joseph and Tim but I can't quite seem to achieve my goal of using the internal RADIUS server on a single RAP-109 along with a CA issued certificate so that my clients don't receive the un-trusted security message (iOS) or the Windows security alert (Windows 7 workgroup machine screenshot attached) upon connecting to the WPA-2 Enterprise secured network.
Must you always pre-install a certificate (either manually or Group Policy, etc.) on all your clients before connecting them to 802.1X network in order to avoid these alerts or is it possible to somehow use the default root CA's in the OS or device trust store to verify the IAP's certificate?