After playing around for a little while I made an interesting discovery that I have not been able to find an explanation to...

FreeRadius EAP Settings has a check box "Check Client Certificate CN" ("When enabled, the Common Name of the client certificate must match the username set in 'FreeRADIUS > Users'").

When using a certificate to authenticate, it seems to me that the certificate CN would NOT be checked against the Users database. Regardless of the users I have added, I always get error messages like below when I have that check box checked:

Nov 30 17:33:15 radiusd 1388 tls: Certificate CN (K14) does not match specified value (host/K14)! Nov 30 17:33:15 radiusd 1388 tls: TLS_accept: Error in error Nov 30 17:33:15 radiusd 1388 (4) Login incorrect (Failed retrieving values required to evaluate condition): [host/K14/<via Auth-Type = eap>] (from client SW21 port 2 cli xx-xx-xx-xx-xx-xx) host/K14 -

So far I have not been able to figure how to effectively enable the client cert. CN check.

I wonder if this is also some stupid beginner's mistake, or is this something else?

And where does this "host/" prefix come from? At least it seems to be independent of the 802.1X authentication mode in the client (User vs. computer authentication)...

When the check box is not checked, authentication with the certificate succeeds without any problems.

FWIW, Radius debug log reveals:

(2) files: users: Matched entry host/K14 at line 2 (2) [files] = ok

...so it seems that it indeed performs the check against user database where I have an entry "host/K14".