Add SASL EXTERNAL
When CertFP is used as authentication mechanism, there is still a race condition. SASL EXTERNAL will, just like regular SASL, make the client authenticated during the connection registration.
Auto Identify settings, another checkbox should be added (only enabled when a certicate has been added to the identity used for this network), which would enable SASL EXTERNAL, then during the connection registration, after the sasl cap has been ack'ed, 'AUTHENTICATE EXTERNAL' should be sent.
For starters SASL PLAIN and EXTERNAL can be mutually exclusive, but ideally PLAIN would be used as fallback should EXTERNAL fail.