Those are user certificates. The user is part of the group in the AD as specified in the remote access policy. I am stuck in the part where the controller is supposed to send the Authorization to the Radius.
The 6.1 user guide says that:
"The client certificate is verified on the controller (the client certificate must be signed by a known CA) before the user name is
checked on the authentication server."
What is going on between the controller and the radius? If the controller termination is not used, the authentication happens between the Supplicant and the Authentication Server without any problem.