My understanding of the key points to remember with certificates when doing EAP-TLS are:
- The RADIUS server must have a certificate that is trusted by the users accessing the wireless service (subject to it not being disabled on the client). If this is an internally signed certificate the root and intermediary certificates used must be trusted on the client device.
- The certificate being used for EAP-TLS user authentication (presented by the client) should be validated by the RADIUS server which usually means the RADIUS server should have the signing root and any intermediary certificates trusted.
If the user in question can successfully authenticate using EAP-TLS user authentication on the wireless but not on the wired port on the RAP it is unlikely to be certificate related.
Hope this helps.