Remember that if they plan on deploying any windows 8.1 devices in the future the cert must have the id-kp-eapoverlan.
From the help in CPPM.
"
The RADIUS server certificate is used by ClearPass to secure authentication traffic. The HTTPS server certificate is used by ClearPass to secure web traffic. They can be configured in Policy Manager under Administration » Certificates » Server Certificate.
The RADIUS server certificate need not be a certificate issued by a trusted commercial certificate authority. However if you are running ClearPass as a cluster, each server in the cluster must use a certificate signed by the same root certificate authority.
To allow Windows 8.1 devices to authenticate successfully this certificate must contain the id-kp-eapOverLAN extended key usage. ClearPass Onboard includes this when creating a "trusted" certificate, this is the recommended method of creating your RADIUS server certificate(s).
The optimal configuration for Onboard is a HTTPS server certificate issued by a trusted commercial certificate authority. A list of certificate authorities trusted by iOS devices can be found at http://support.apple.com/kb/HT5012.
Alternatively if you only wish to use a single Onboard Certificate Authority then you can use that Certificate Authority to sign the server certificate. Users will then have to install the certificate as part of the provisioning process. Refer to the User Guide for more information.
For testing purposes you can disable the requirement for HTTPS on the Authentication configuration page. However this is an insecure configuration that should not be used in a production environment."
One other option for your client is to also use Quick Connect to configure the PEAP devices.