My suggestion is to use the test certs (so you don't care about secrecy), and then use Wireshark. You can pass it the certs and passwords, then it will decode all of the TLS data for you. That will tell you exactly what's going on behind the scenes. I am using the test certs as generated by ./bootstrap. I am having trouble finding the right instructions for setting up Wireshark to decode EAPOL-TLS (over LAN, not WIFI). If you could provide some guidance, that would be much appreciated.
With whatever I have tried, wireshark always complains about the .pem files, passwords, etc. I have tried this: Wireshark -> Edit -> Preferences -> Protocols -> TLS -> RSA keys list [Edit...] -> ip any, port 0, protocol data, key file ca.pem, password <nothing>, but wireshark pops up an error dialog stating "Can't load private key from ca.pem: can't import pem data: The requested data were not available". I don't think I can use the (Pre)-Master-Secret log filename (setting the "SSLKEYLOGFILE" environment variable) because that requires a webbrowser like Chrome. Anyway, any pointers on how to capture the right stuff and decode using the certs from Freeradius would be appreciated.