Clients need to trust the certicate used for EAP auth on the ACS server. That's either something you have to force the clients to do (GPO is handy for Windows / AD). However, if the ACS certificate came from your Windows AD CA, then the clients only need to trust the root CA (in the Trusted Root Certification Authorities). If your CA is part of the AD domain, and your clients are part of the AD domain, then this should all be automagic via the Enterprise Trust Store (as you said - no cert exporting/importing required). You might be able to manually update the Enterprise Trust Store with your CA's certificate. Google will help you out on that one (one that might help is below):
IntroductionHow to use the Wireless LAN Controller Configuration Analyzer (WLCCA)
Javier Contreras is a Senior Tech Lead for the Wireless Business Unit in Cisco, with over 2 decades of experi...
< PRE >
(#)For this reason being that : - application that doesn't use multicast, sends one copy of each packet ( data unit of traffic at layer 3 ) to each client (" who seeks the traffic ).- application that does use multicast, sends ...
Transferring Crash file from standby:
Login to the Active WLC in HA.
(Cisco Controller) >transfer upload datatype crash
(Cisco Controller) >transfer upload filename <Desired filename>
(Cisco Controller) >transfer up...