We are perfectly willing to buy a certificate from Verisign, Thwarte, etc if it will help but have tried our Comodo wildcard SSL certificate which hasn't fixed it.
These machines belong to the end users so we can't easily control settings with group policy or registry hacks.
If a self-signed certificate (or any certificate from an untrusted CA) is in use, most clients will reject the connection since they cannot validate the server's identity.
A fundamental component of RADIUS is a client's validation of the RADIUS server's identity.
This is accomplished by hosting a certificate on the RADIUS server that has been validated by a trusted Certificate Authority (CA).
If you do go this route, make sure you document for CYA purposes.
From a security standpoint the best option is setup a captive portal.
In production I learned pretty quickly that Windows didn't like it at all.
To avoid all this trouble, in the next iteration (i.e.
I don't know how you generated your public and private key-pair for your RADIUS server but generally speaking it will either be self-signed or signed by a certificate authority.
In turn the signing certificate authority's public key will be distributed to clients, either through GPOs, Active Directory Certificate Services or it was included by Microsoft in the Trusted Root Certification Authority repository.
I could conceivably build my own RADIUS server and intercept your user's AD credentials.