The ACS 4.x and 5.x has the option to generate the self-signed certificate which can be used for PEAP connections. If you want to use the feature called "Validate server certificate" in the client side, you only need to export the self-signed certificate and install it in the client side (PC).
If what you have is an ACS 5.x you have the option to generate the self-signed for management or EAP, in this case you need to select EAP.
If what you have is an ACS 4.x then you can skip the previous step, the same certificate should work.
That's correct, for PEAP you don't need an external CA. The ACS server is capable to generate certificates for your PEAP wired or wireless connections.
Well it's more secure to use the "Validate server certificate" option, however even though if you are not implementing this feature, the users still will need to have a valid username/password to get authenticated.