I then verified that the only way for a windows computer to connect to this is to uncheck the "verify the server's identity by validating the certificate" option while manually adding the profile. I just deployed a setup very similar to this last week, to provide Internet access to a week-long campground event.
Choose a wireless network validating identity Free phone hookup dating in fredricksburg va
The disadvantages of the first two options is that it opens your 802.1X scheme up to Mi TM attacks.
I could conceivably build my own RADIUS server and intercept your user's AD credentials.
From a security standpoint the best option is setup a captive portal.
Students can use their BYOD devices to connect and reach the portal, pass their user authentication credentials to the portal and the portal can then talk to the RADIUS server.
In turn the signing certificate authority's public key will be distributed to clients, either through GPOs, Active Directory Certificate Services or it was included by Microsoft in the Trusted Root Certification Authority repository.