Little bit late reply.
No need for a certificate on the controller. The trust is between the client and the radius server (Clearpass in this case). The only certificate you may need is for the via profile download (normal ssl/https certificate), but you can run without. You will get a certificate validation warning when downloading the VIA profile and using the default or no certificate.
The role assigned in the via auth-profile needs to refer to a via connection-profile which has ikev2 enabled and ikv2auth set to eap-tls.
The connection profile also needs an auth-profile which contains the right radius server group.
If no auth-profile is present in the connection-profile, it uses the default auth-profile, which by default authenticates to the controller's internal db and not to your radius server.
Below a config sniplet summarizing the above:
user-role eaptls-via-role
pool l2tp via-pool
via "EAP-TLS"
access-list session allowall
aaa authentication via auth-profile "EAP-TLS"
default-role "eaptls-via-role"
server-group "lab-vpn"
no cert-cn-lookup
{ The server-group "lab-vpn" is a group containing the radius/Clearpass server(s) }
aaa authentication via connection-profile "EAP-TLS"
server addr “12.34.56.78” internal-ip 10.0.0.1 desc “VIA” position 1
auth-profile “EAP-TLS” position 1
tunnel address 192.168.2.0 netmask 255.255.255.0
split-tunneling
ikev2-proto
ikev2auth eap-tls
On Clearpass you need to add the VIA controller as a Device using the right Radius shared secret.
You can use a standard EAP-TLS service (e.g the EAP-TLS template for wireless), but the NAS-Port-Type is different for a VPN connection.
For VPN, the NAS-Port-Type = Virtual (5) .
Clearpass needs to trust the CA issuing the client certificates. Add the trust chain of the CA signing the Client certificates to the Clearpass trust list.
And of cousre Clients need to trust the Radius/Clearpass certificate