diff --git a/src/modules/rlm_eap/types/rlm_eap_fast/eap_fast.c b/src/modules/rlm_eap/types/rlm_eap_fast/eap_fast.c
index 6a0967e48ee4..4eb363d1d8ca 100644
--- a/src/modules/rlm_eap/types/rlm_eap_fast/eap_fast.c
+++ b/src/modules/rlm_eap/types/rlm_eap_fast/eap_fast.c
@@ -1160,8 +1160,14 @@ PW_CODE eap_fast_process(eap_session_t *eap_session, tls_session_t *tls_session)
 		/*
 		 * RFC 5422 section 3.5 - Network Access after EAP-FAST Provisioning
 		 */
-		if ((t->pac.type && t->pac.expired) || t->mode == EAP_FAST_PROVISIONING_ANON) {
-			RDEBUG("Rejecting expired PAC or unauthenticated provisioning");
+		if (t->pac.type && t->pac.expired) {
+			REDEBUG("Rejecting expired PAC.");
+			code = PW_CODE_ACCESS_REJECT;
+			break;
+		}
+
+		if (t->mode == EAP_FAST_PROVISIONING_ANON) {
+			REDEBUG("Rejecting unauthenticated provisioning");
 			code = PW_CODE_ACCESS_REJECT;
 			break;
 		}
@@ -1177,8 +1183,9 @@ PW_CODE eap_fast_process(eap_session_t *eap_session, tls_session_t *tls_session)
 		eap_add_reply(request, "EAP-EMSK", t->emsk, EAP_EMSK_LEN);
 
 		break;
+
 	default:
-		RERROR("no idea! %d", t->stage);
+		RERROR("Internal sanity check failed in EAP-FAST at %d", t->stage);
 		code = PW_CODE_ACCESS_REJECT;
 	}