*sigh* Don't use this configuration with wired 802.1X. As the user's identity is not protected within the tunnel, someone sitting between your machine and the switch could easily switch out identities at the start of 802.1X auth, and use it of a way of performing privilege escalation.
Hm, you should probably verify that the certificate is associated with the username provided. SQL/LDAP xlat would probably do the job. -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html