Only clients that have not disconnect from the network were still able to access it.
This only happens with the 802.1x ssid (staff) and not with the PSK ssid (for guests).
Not an ideal setup but your department will need to do the risk analysis.
If you do go this route, make sure you document for CYA purposes.
I would take that to mean that you cannot use a direct IP address to get at your radius server, less the certificate not be able to validate.
technet.microsoft.com/en-us/library/cc731363(v=ws.10)You need to distribute your RADIUS server's certificate (if it was self-signed) or the certificate of the Certificate Authority that signed it to your clients.
From a security standpoint the best option is setup a captive portal.
Students can use their BYOD devices to connect and reach the portal, pass their user authentication credentials to the portal and the portal can then talk to the RADIUS server.
In production I learned pretty quickly that Windows didn't like it at all.
Eduroam is another popular choice for educational organizations.
I know this post is really old, however, this is similar to my issue except that last week, any client could connect to my wireless network and this week they can not. The windows/android/iphone clients were able to connect with 802.1x verifying against a local, Aruba based database of one user name.
In order to enable the client to connect we have to add the network manually and un-check the "Validate server certificate" as shown in the screenshot below.
Does anyone know of a way to avoid having to do this?