But in this situation, how clients will find that provided certificate really belongs to this radius server?
After all, neither the controller nor the customers do not know the FQDN of radius server.
Or clients do not make such check?
Now I have installed the certificate with these fields:
CN clearpass-cluster
SAN IP:10.0.0.1,IP:10.0.0.2,IP:10.0.0.3,DNS:name1.org,DNS:name2.org,DNS:cluster-name.org
And win7-8 clients can't connect until you remove the option "Validate server certificate".