I only need to authenticate using the cert - not cert plus username/password. If the IAP controller can terminate EAP-TLS and do that part of the authentication, then I wouldn't see a need for an external auth server. Theoretically, this should work, and I know it works on a mobility controller.
Based on what I posted earlier, it sounds like it should work on an IAP. I just wish I had one in front of me to test.
EAP-TLS— The Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) method supports the termination of EAP-TLS security using the internal RADIUS server . The EAP-TLS requires both server and
certification authority (CA) certificates installed on the IAP. The client certificate is verified on the Virtual Controller (the client certificate must be signed by a known CA), before the username is verified on the
authentication server.
Since the client will be configured to pass the cert to the IAP, I don't see why it wouldn't be able to authenticate cert without talking to an external radius server and then allow the client on the network. Again, I have this working on a mobility controller, so I assume there would be no technical reason why it wouldn't work, unless the IAP's are hard coded to only do EAP-TLS cert auth with radius username/password auth following it.
What do you think?