wpa_supplicant not authenticating correctly with EAP-PEAP

[masscream]

Hello, thanks for your hard work. I've been using this tutorial to authenticate my router onto 801x network to function as a wireless AP. It was working OK till the time I upgraded from 19 to 21. It looks like an issue with the wpa_supplicant, authenticating with the freeradius server. Let me provide you with the logs below.

RADIUS before (v19)

(31) eap: Peer sent EAP Response (code 2) ID 3 length 6
(31) eap: Continuing tunnel setup
(31)       [eap] = ok
(31)     } # else = ok
(31)   } # authorize = updated
(31) Found Auth-Type = eap
(31) # Executing group from file /etc/raddb/sites-enabled/default
(31)   authenticate {
(31) eap: Expiring EAP session with state 0xeaefc6dfe8ecdf1b
(31) eap: Finished EAP session with state 0xeaefc6dfe8ecdf1b
(31) eap: Previous EAP request found for state 0xeaefc6dfe8ecdf1b, released from the list
(31) eap: Peer sent packet with method EAP PEAP (25)
(31) eap: Calling submodule eap_peap to process data
(31) eap_peap: Continuing EAP-TLS
(31) eap_peap: Peer ACKed our handshake fragment
(31) eap_peap: [eaptls verify] = request
(31) eap_peap: [eaptls process] = handled
(31) eap: Sending EAP Request (code 1) ID 4 length 707
(31) eap: EAP session adding &reply:State = 0xeaefc6dfe9ebdf1b
(31)     [eap] = handled
(31)   } # authenticate = handled
(31) Using Post-Auth-Type Challenge

RADIUS after (v21)

(9) eap: Peer sent EAP Response (code 2) ID 1 length 6
(9) eap: No EAP Start, assuming it's an on-going EAP conversation
(9)       [eap] = updated
(9)     } # else = updated
(9)   } # authorize = updated
(9) Found Auth-Type = eap
(9) # Executing group from file /etc/raddb/sites-enabled/default
(9)   authenticate {
(9) eap: Expiring EAP session with state 0x5d84d1095d85c842
(9) eap: Finished EAP session with state 0x5d84d1095d85c842
(9) eap: Previous EAP request found for state 0x5d84d1095d85c842, released from the list
(9) eap: Peer sent packet with method EAP NAK (3)
(9) eap: Peer NAK'd indicating it is not willing to continue 
(9) eap: Sending EAP Failure (code 4) ID 1 length 4
(9) eap: Failed in EAP select
(9)     [eap] = invalid
(9)   } # authenticate = invalid
(9) Failed to authenticate the user
(9) Using Post-Auth-Type Reject

Openwrt after

root@openwrt:~# wpa_supplicant -D wired -i eth0.1 -c /etc/config/wpa.conf
Successfully initialized wpa_supplicant
eth0.1: Associated with xx:xx:xx:xx:xx:xx
eth0.1: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0
eth0.1: CTRL-EVENT-EAP-STARTED EAP authentication started
eth0.1: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25
TLS: suffix_match not supported
TLS: Failed to set TLS connection parameters
EAP-PEAP: Failed to initialize SSL.
eth0.1: EAP: Failed to initialize EAP method: vendor 0 method 25 (PEAP)

The device is

Model	TP-Link Archer C20 v1
Architecture	MediaTek MT7620A ver:2 eco:6
Target Platform	ramips/mt7620
Firmware Version	OpenWrt 21.02.3 r16554-1d4dea6d4f / LuCI openwrt-21.02 branch git-22.083.69138-0a0ce2a
Kernel Version	5.4.188

wpa_supplicant in 19
wpa_supplicant v2.9
wpa_supplicant in 21
wpa_supplicant v2.10-devel

[masscream]

Replacing wpad with wpad-openssl fixed the issue.