I have created a patch that allows use of
tunneled reply attributes when authentication fails for EAP-TTLS and EAP-PEAP. It
also saves ntlm_auth output in Module-Failure-Message reply attribute when
ntlm_auth fails. I sent you a pull request for the changes. Should I also create
a bug report for tracking purposes?