Hi Elia,
It depends on the EAP type that you use. In this lesson, you can see this checkbox on the RADIUS server:
The RADIUS server generated a certificate and when the client connects, it checks the server certificate to see if it’s talking to the correct server. The client then sends a username/password to authenticate the client.
EAP-TLS allows you to use client certificates which is very safe, but does take time to setup (you need a client certificate for each user or device). I don’t have an example for AAA on a switch but I do have something for Wireless. Take a look at these examples:
I manually imported the client certificate on those devices, that’s great for a lab but a pain for production networks. There are solutions that allow you to generate and auto-enroll client certificates automatically.
Rene