So I've set up this EAP-TLS SSID and have the right certificates installed on the client devices and controller. Testing with a user, I see that he's not able to connect on his iPhone. This is what I see in show auth-tracebuf:
Feb 16 12:29:38 station-up * aa:bb:cc:dd:ee:ff ap:ap:ap:ap:ap:ap - - wpa2 aes
Feb 16 12:29:38 station-term-start * aa:bb:cc:dd:ee:ff ap:ap:ap:ap:ap:ap 50 -
Feb 16 12:29:38 client-cert -> aa:bb:cc:dd:ee:ff ap:ap:ap:ap:ap:ap/TEST-SSID-dot1x_prof 1261 3995
Feb 16 12:29:38 client-cert -> aa:bb:cc:dd:ee:ff ap:ap:ap:ap:ap:ap/TEST-SSID-dot1x_prof 1270 3995
Feb 16 12:29:38 client-cert -> aa:bb:cc:dd:ee:ff ap:ap:ap:ap:ap:ap/TEST-SSID-dot1x_prof 1270 3995
Feb 16 12:29:38 client-cert -> aa:bb:cc:dd:ee:ff ap:ap:ap:ap:ap:ap/TEST-SSID-dot1x_prof 194 3995
Feb 16 12:29:38 client-cert verified * aa:bb:cc:dd:ee:ff ap:ap:ap:ap:ap:ap - -
Feb 16 12:29:38 cert-signature-verify -> aa:bb:cc:dd:ee:ff ap:ap:ap:ap:ap:ap/TEST-SSID-dot1x_prof - - verified
Feb 16 12:29:38 client-finish -> aa:bb:cc:dd:ee:ff ap:ap:ap:ap:ap:ap/TEST-SSID-dot1x_prof - -
Feb 16 12:29:38 server-finish <- aa:bb:cc:dd:ee:ff ap:ap:ap:ap:ap:ap/TEST-SSID-dot1x_prof - 61
Feb 16 12:29:38 server-finish-ack -> aa:bb:cc:dd:ee:ff ap:ap:ap:ap:ap:ap/TEST-SSID-dot1x_prof - -
Feb 16 12:29:38 user-validate-req -> aa:bb:cc:dd:ee:ff ap:ap:ap:ap:ap:ap - -
Feb 16 12:29:38 user-validate-failed <- aa:bb:cc:dd:ee:ff ap:ap:ap:ap:ap:ap/Internal - - Feb 16 12:29:38 eap-failure <- aa:bb:cc:dd:ee:ff ap:ap:ap:ap:ap:ap/TEST-SSID-dot1x_prof - 4
What I want to know is why despite the right certificates, the controller needs to verify the client with the internal database? After seeing this message, I created a manual entry in the internal DB for this user and then it starts working! Why should I even need to do this? Can someone please explain?
Feb 16 12:44:23 user-validate-success <- aa:bb:cc:dd:ee:ff ap:ap:ap:ap:ap:ap/Internal - -
Feb 16 12:44:23 eap-success <- aa:bb:cc:dd:ee:ff ap:ap:ap:ap:ap:ap/TEST-SSID-dot1x_prof - 4