No, we didn't have to add a trusted certificate, you just need to make sure that the identity certificate is set to AD certificate (if you're bound that is and you're getting the cert from the CA in the same config)
What certificate are you using for authentication? are you using a machine certificate from the CA? or do you guys have one cert that you are deploying for 802.1x?
How far along in the process are you getting? Is the cert making it to the machine?
in our configuration profile for for 802.1x we have 2 payloads
One is the AD certificate, we use a machine cert issued by the CA. the other is the Network payload (under the trust settings we are using an ad account that has access to network resources and using the AD certificate as the identity certificate.
@LovelessinSEA so we configured the network payload for PEAP and TTLS, MSCHAPv2 with the relevant wifi settings and ticked use directory authentication. Then we uploaded the Root CA to the certificate payload and then added that to the trust section of the network payload. It worked straight away. The only niggle I have is getting the proxy settings correct - if you leave the WAN and rejoin without logging on from cold, smooth wall idex doesn't like it!!!!