So the critical thing is to ensure that the client properly validates the RADIUS server. This is done via trusted certificates, deployed either by the client platform vendor and PKI systems such as Entrust, Thawte, Verisign and others, or by network administrators using tools such as Microsoft Group Policy Objects, Apples Lion Server Profile Manager for OS X clients or iPhone Configuration Utility for iOS clients.
What vonNagy then focuses on is enabling Microsoft and Apple clients to accept specific trusted certificates and no others, while at the same time blocking them from manually accepting untrusted certificates. For example, when an Apple iPhone tries to associate to a Wi-Fi access point -- and no profile has been deployed to the client for that SSID -- the user receives an onscreen prompt that declares the server as not verified but then offers a button to accept the connection and proceed anyway.
This is likely not ideal, since users typically have a hard time distinguishing what a certificate means and whether or not they should proceed, vonNagy says, with classic understatement.
Instead, for corporate networks with 802.1X authentication deployed, all clients including personally owned devices, should be loaded with a profile for each 802.1X SSID that the user will need, vonNagy recommends. Then, if the client is presented with an untrusted certificate, the connection will be rejected automatically. On the iPhone, for example, a popup informs the user Unable to join Network Aruba1X and presents only a Dismiss button to cancel the popup.
Don't fall into the trap for BYOD of letting users connect on their own and try to decipher the certificate prompt, vonNagy warns. Establish a sound personal device on-boarding process which deploys a configuration profile to the device upon successful enrollment and policy acceptance. There are numerous ways to do this, ranging from simple solutions such as sending them a profile in an email or providing a web URL where users can download the profile, to more complex solutions such as MDM integration that allow self-registration and zero IT involvement.