If you don't want to add the certificate manually, you'll need to get a public CA-signed EAP server certificate.
Please keep in mind that using PEAPv0/EAP-MSCHAPv2 with unconfigured clients puts your user's credentials in jeopardy as this EAP method is highly susceptible to man-in-the-middle attacks with unconfigured clients.