Planning on implementing EAP-TLS for wireless security and tryingto wrap my brain around what will be lost if I use local eap-tls vs an external radius server for authentication of the certificates. I thought I saw in some older posts (3+ years) that there is no CRL available when using the controller as built-in radius. I am running on a 3650 as the integrated wlc. If I can tidy up the wireless solution so I dont have to utilize an external radius server (this would be the first necessity to have an external radius server for this org) than it would be nice to keep it simple. I am planning on doing "computer only" auth for some clients and the ability to invalidate their cert would likely push me to the external radius server - I just don't know if there are any other trade-offs by using the built-in radius.
I also saw that you cant specify a radius server for anything else on the switch or the local built-in radius wont work, but then saw copnflictying info " You can disable RADIUS authentication for a given WLAN by using “ wlan_id” CLI command." at this great page http://mrncciew.com/2013/04/21/configuring-local-eap-on-wlc/
but dont know if this is true or not either. I would like to know if I am locking myself into never having an external radius server If i go down the local eap-tls path.