By default, NAC deploys with a self-signed Certificate from an internal Certificate Authority (CA) for its RADIUS Server Certificate. Replacement of this Certificate by some external CA, and use of that external CA's Root Certificate in the client's Certificate trust store, is the most common practice. However, the Root Certificate of the NAC internal CA can be downloaded from the NAC by any SCP Client. The Root Certificate of the NAC internal CA is contained with in the /opt/nac/radius/raddb/certs/selfsigned_ca.pem
Further, the same above error can occur, if the FQDN of the NAC, including domain is not included in the certificate. So it should read for example nacx.extreme.com not just extreme.com. For more on proper setup of this, see How To Generate A Certificate Signing Request (CSR) On A NAC Appliance
The importation of the above Root Certificate is dependent upon the operating system of the client, and therefore must be left up to the on-site Systems Administrator.