Certificates and 802.1X on clients

I'm having some difficulty tracking down info on how certificates work with 802.1X on Mac OS X clients. Specifically, is there any way — without modifying the X509Anchors keychain (with the system's root certificates) before connecting — to have certificates chained to a root CA in such a way that users are not prompted to accept any intermediate certs and the leaf cert (a FreeRADIUS server, in this case)? Any help or pointers would be appreciated. Thanks!