Hi Herman,
Thanks for your interest. About the second point:
You can, similar to when the certificate is not on the AP, (pre)configure your client with the CA that issued the AP/RADIUS-server certificate and the proper certificate validation.
What CA should my client trust? I don't know what is the certificate the AP uses for EAP, it has many (Default Server Certificate, Current CP Server Certificate and Device Certificate), look at this:
P4-W04# show cert all
Default Server Certificate:
Version :3
Serial Number :01:DA:52
Issuer :/C=US/O=GeoTrust Inc./OU=Domain Validated SSL/CN=GeoTrust DV SSL CA
Subject :/serialNumber=lLUge2fRPkWcJe7boLSVdsKOFK8wv3MF/C=US/O=securelogin.arubanetworks.com/OU=GT28470348/OU=See www.geotrust.com/resources/cps (c)11/OU=Domain Control Validated - QuickSSL(R) Premium/CN=securelogin.arubanetworks.com
Issued On :May 11 01:22:10 2011 GMT
Expires On :Aug 11 04:40:59 2017 GMT
Signed Using :SHA1-RSA
RSA Key size :2048 bits
Version :3
Serial Number :02:36:D2
Issuer :/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
Subject :/C=US/O=GeoTrust Inc./OU=Domain Validated SSL/CN=GeoTrust DV SSL CA
Issued On :Feb 26 21:32:31 2010 GMT
Expires On :Feb 25 21:32:31 2020 GMT
Signed Using :SHA1-RSA
RSA Key size :2048 bits
Version :3
Serial Number :02:34:56
Issuer :/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
Subject :/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
Issued On :May 21 04:00:00 2002 GMT
Expires On :May 21 04:00:00 2022 GMT
Signed Using :SHA1-RSA
RSA Key size :2048 bits
Current CP Server Certificate:
Version :3
Serial Number :0D:18:23:89:16:76:A4:13:92:D9:3E:EA:03:DE:DD:18
Issuer :/C=US/O=DigiCert Inc/CN=DigiCert Global CA G2
Subject :/C=US/ST=California/L=Palo Alto/O=Hewlett Packard Enterprise Company/OU=Aruba Networks/CN=securelogin.hpe.com
Issued On :Feb 12 00:00:00 2018 GMT
Expires On :Feb 13 12:00:00 2019 GMT
Signed Using :SHA256-RSA
RSA Key size :2048 bits
Version :3
Serial Number :03:3A:F1:E6:A7:11:A9:A0:BB:28:64:B1:1D:09:FA:E5
Issuer :/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root G2
Subject :/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root G2
Issued On :Aug 1 12:00:00 2013 GMT
Expires On :Jan 15 12:00:00 2038 GMT
Signed Using :SHA256-RSA
RSA Key size :2048 bits
Version :3
Serial Number :0C:8E:E0:C9:0D:6A:89:15:88:04:06:1E:E2:41:F9:AF
Issuer :/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root G2
Subject :/C=US/O=DigiCert Inc/CN=DigiCert Global CA G2
Issued On :Aug 1 12:00:00 2013 GMT
Expires On :Aug 1 12:00:00 2028 GMT
Signed Using :SHA256-RSA
RSA Key size :2048 bits
Device Certificate:
Version :3
Serial Number :21:8F:5B:7C:00:00:00:03:8B:74
Issuer :/UID=com/UID=arubanetworks/UID=devicesign/CN=Aruba Networks Trusted Computing Issuing CA 2
Subject :/CN=CNDQHN725W::20:a6:cd:cb:5c:de
Issued On :Aug 18 12:43:59 2017 GMT
Expires On :Sep 14 03:21:14 2032 GMT
Signed Using :SHA256-RSA
RSA Key size :2048 bits
P4-W04#
The issuers are GeoTrust, DigiCert and Aruba Networks. Which one?
Regards,
Julián