Right, I get that.
I think if a device running Win 7 is connecting to a new SSID, PEAP secured with a cert from a CA in the list of available CAs in the Wifi profile> PEAP settigns, they will by default get the message: (see attachment)
My question is (and maybe also the OPs question): Is it possible to avoid this? If so, with what CA? This is a BYOD campus environment, so GPO and/or centralized mgmt isn't really a viable solution.