When you have "Validate Server Certificate" you need to check which cert you want validated. If it isn't there, then you have to add it. Basically you are telling the utility to verify these checked certs.
Q.1 Using PEAP-mschapv2 and not selecting "Validate Server Certificate" i can still connect to the WLAN,is this is a secure connect (encrypted).
Q.2 I'm using win 2003 standard edition to create the CA, but according to microsoft the minimun certificate is issued by an enterprise certification authority (CA) So I need win 2003 Enterprise edition for the CA??
Yes.... not selecting the validate server certificate is still being secure... the certificate is to encrypt the rest of the authentication process. As for the CA issues, you need Enterprise CA to issues for the certificate that will be installed in your radius server.
The PEAP-MSCHAPv2 auth process is only one way: the server validates the clients user credentials, the client does not. If you don't require the client to validate the server ca cert, then you can't be sure that the 802.1x auth packets you are receiving have been signed by your server.
The scenerio is that you can bring your laptop to Starbucks and I can be there with a 'honeypot' AP wireless card. Your laptop automatically tries to connect to your corporate SSID, my laptop says 'here you are', you send 802.1x credentials, my laptop says 'yeah, whatever', you auth to my laptop, get an IP address, and I issue attacks against your open shares or vulnerabilies on your laptop (which you *DO* have).
Moral of the story, *always* select 'validate server certificate' on the client when using one-way trusted PEAP-MSCHAPv2.
And so we are on the same page, *any* certificate authority can create the cert, it does not need to be the domain controller; that is just a more complicated scenerio because you need MS-IAS or Cisco-ACS to use that cert and MS-AD needs to trust that cert. I bring this up for completeness.
to issue the cert you need a MS Enterprise server... doesn't need to be your domain controller. you do need a radius server and it can or doesn't have to tie into ad. WLC has local eap that you can also use if you have a wlc.