I have created a patch that allows use of tunneled reply attributes when authentication fails for EAP-TTLS and EAP-PEAP.  It also saves ntlm_auth output in Module-Failure-Message reply attribute when ntlm_auth fails.  I sent you a pull request for the changes.  Should I also create a bug report for tracking purposes?