I nearly have this working!
ClearPass is saying it doesn't know about the TPM issuing CA.
EAP-TLS: Cannot get certificate of issuer /DC=com/DC=arubanetworks/DC=dc-device-ca5/CN=device-ca5 to check the client certificate status.
Detailed logs show:
2020-06-12 17:36:21,438 [Th 42 Req 411 SessId R00000024-01-5ee31450] INFO RadiusServer.Radius - --> subject = /CN=CKXXXXXXXX::40:e3:d6:xx:xx:xx
2020-06-12 17:36:21,438 [Th 42 Req 411 SessId R00000024-01-5ee31450] INFO RadiusServer.Radius - --> issuer = /DC=com/DC=arubanetworks/DC=dc-device-ca5/CN=device-ca5
2020-06-12 17:36:21,438 [Th 42 Req 411 SessId R00000024-01-5ee31450] INFO RadiusServer.Radius - --> verify return:0
I have enabled the below cert in the ClearPass trust list for 'EAP' and 'Aruba Infrastructure':
CN=Aruba Networks Trusted Computing Root CA 1.0,C=US,O=Aruba Networks,OU=Operations,OU=DeviceTrust
Packet capture shows the client certificate with the correct trust chain: