glad it's working!!! happy to assist :-)
getting 802.1X to work is not "hard", but there are many components to make work together making it hard sometimes.
manui31804 asked: "Is it possible to force user to use certificate when he's connected on a supplicant switch?"
Yes, you should be able to configure the 2nd switch (supplicant configured switch) just like the 1st switch...define the 2nd switch as a RADIUS client, configure switch#2 with RADIUS and 802.1X support for the user ports, etc...
If the 2nd switch does not support 802.1X, then on the port on switch#1 that switch#2 connects to, define how many mac addresses you want it to allow (1-32) for 802.1X authentication and then when a new supplicant sends it's EAP traffic, switch#1 will simply forward that request through - but, when doing this, after the first user (switch#2 in this case) gets authenticated, then all subsequent users must assigned into the same VLAN as the switch#2 user is - you cannot have multiple authenticated users in different untagged VLANs on the same port - this is the value of the first option - each user gets separately authenticated and can be assigned their own VLAN id from RADIUS.
hth...Jeff
ps, I did a presentation 2 weeks ago at Sharkfest'10 on troubleshooting 802.1X titled: Network Access Security - It's Broken, Now What? the presentation is posted at:
http://www.cacetech.com/sharkfest.10/in addition, many of the presentations done were video'd (including mine :-) see them at:
http://www.lovemytool.com/blog/2010/06/
