we are currently implementing Cisco ACS Self Signed certificate, for PEAP-MSChapv2 Wireless Access, where we have our Cisco ACS linked to the Microsoft Active Directory. So, we are distributing the Certificates through GPO's.
What can be the risks, and what would make us consider having either our own CA Server? or even getting external certificates?
There are two reasons a server-side certificate is used for PEAP.
Firstly, it protects the inner authentication method, in your case, it's protecting the MSCHAPv2 exchange. This is pretty secure regardless of whether you use self signed, corporate or 3rd party certificates.
The second reason is that it allows the client to authenticate the radius server BEFORE it even thinks about begining the MSCHAPv2 authentication process. If you're only using Self Signed certificates, then it's likely the Root CA for your ACS isn't installed on your clients, and so you're not doing any checks on the identity of the radius server prior to begining MSCHAPv2. Not checking the identity of the radius server leaves your clients vulnerable to man-in-the-middle and DoS attacks. If you decide to use an internal CA, then make sure your laptops all receive a copy of the internal CA, and that they are configured to check for it. If you decide to buy a 3rd party certificate for your radius server, make sure you buy a certificate that the clients already have the Root CA for.
This is the basic functionality of PEAP, and is the same on all PEAP-capable devices, including the Intel utility.