Here's my situation. I currently have 802.1x working perfectly with Microsoft IAS, but we are wanting to use ACS 4.0 due to the fact that we also need the IP Phones to authenticate as well using EAP-TLS. I have configured ACS correctly (so I think) and my machines fail everytime. Here's what I've configured in ACS so far.
Installed certificate from Root CA.
Installed Root CA certificates.
I have trusted all certificates all the way up the chain to the Root ( we have multiple Root CA's as well as Intermediate CA's) The only thing I'm not sure about on this one is the certficate for ACS is given from a different CA but both workstation and ACS certificates ROOT CA is the same.
Group Settings: IETF Radius Attributes
 Service-Type = Framed
Network Configuration: AAA Client is authenticating using Radius (IETF)
AAA Server Type is RADIUS (can I Cisco ACS???)
System Configuration: Global Authentication Setup - Allow EAP-TLS - Cert CN comparison
External User Databse: Windows Database - Selected our Domain
Enable EAP-TLS machine authentication (host/)
Database Group Mappings: NTGroups- Have AD security group selected that host machines are in, CiscoSecureGroup Default
This is where I get a little confused. I have configured our test switch to authenticate with IAS and it works great, configure it to go to the ACS server and we get nothing, I don't event get any errors and anything sent to the logs. Where am I going wrong????
Thanks for the response. I managed to get things working by using the SAN with the certificate instead of the CN. Our server received its cert from the Root CA where the workstations receive their certs from an Intermediate CA.