...
On Linux and Android supplicants it is required to install the .ca file generated during certificate generation in order to verify the RADIUS server's identity. In case the identity presented by the RADIUS server changes at any point, the supplicant fails to connect, and re-presents the user with the prompt for network credentials. It is possible to connect without installing the .ca file, but one needs to specify "No CA certificate required" or "Do not validate". In this case the supplicant will send credentials to any RADIUS server for that SSID without verifying its identity. It is possible to avoid sending the real user name in the unencrypted outer tunnel, by specifying a different value (normally 'anonymous') in the "Anonymous identity" field.
On Mac OS, iPhone and iPhone Windows 10 supplicants, when connecting to the SSID for the first time, the server certificate's details are presented to the user and the user is asked if they want to trust the server. In case the identity presented by the RADIUS server changes at any point, the user will be prompted with a message, not containing any warning, sadly, that looks identical to the one displayed when connecting for the first time, where a user is extremely likely to press Trust once again. On Mac OS and Windows 10, it is also possible to copy the .ca file and install it, avoiding the prompt on first connect, on iPhone, this did not seem to have any effect. It seems to be possible, but greatly complicated (involving installing a software from the App Store, and using it to create a configuration profile which then needs to be saved to a file, copied and imported onto the supplicant device) on Mac OS and iPhone to configure the supplicant to not send the real user name in the unencrypted outer tunnel. On Windows 10 this seems to be easier '@@@' to verify. Windows 10 remember two certs '@@@'
Windows 10 '@@@'