I was successfully able to import a RADIUS certificate to one of my subscribers, point an 802.1x enabled switch to that server, and authenticate against it with an internal PKI signed machine cert. My only concern is in the ClearPass Onboarding certificate area, it notes the following:
"The RADIUS server certificate need not be a certificate issued by a trusted commercial certificate authority. However if you are running ClearPass as a cluster, each server in the cluster must use a certificate signed by the same root certificate authority."
My subscriber hasn't dropped, so it appears to be fine. I'm going to update the others in quick succession to use the same root CA, hopefully tomorrow. Is the above quote relevant at all, or is there a timeout where a subscriber may drop if it doesn't have a cert signed by the same CA?