I have a quick question, is the user PC need to be join first in domain so the ACS will validate the CA?
I have this problem too.
Correct Answer by zhenningx about 8 years 12 months ago
This link explains why you need machine authentication and why PEAP requires PC joined domain:
Hope it helps!