Cisco ACS 5.4: How to debug x.509 certificate authentication

If not mistaken, radius authenticates the username/password provided by the user, the certificate is used to establish the initial secure tunnel, which is established first before any user credentials (X user)  presumably.

Your organization has an internal CA?
Try with a test user. Make sure their connection works, then suspend their certificate and see if they still are able to connect.

Look at the user certificate store (certicates.msc on Windows) look at the user's personal certificates.

Have you had a chance to look at Cisco.com VPN using certificates? Debugging?

Thank you for the reply. Our use case is users attaching to WiFi using EAP-TLS. The company changed from using the root CA from one department to another. So clients are with both certificates or one or none. Some people are having no problems attaching to the new SSID with EAP TLS and others are having problems. It would help if there was some way I could see logging that involved some details about the certificates that are being offered and accepted/matched.

The client connecting to WiFi requires a client cert issued from the same CA as the local cert installed on the Cisco ACS server.

Ok, does that means the system must be a member of the domain? Or the user has to request and obtain a computer certificate to be installed in the computer certificate store.
Does the computer certificate store have the ca issued certificate available in the personal folder?

What is your normal/defined process to authorize a system to connect?

Thank you much.