Thanks for the reply Alan.
This means that the session wasn't cached, and they are trying to resume a session that never was started. The change in 2.1.8 is there to work around a bug in OpenSSL.
Ok
The only other alternative is that they *are* resuming a valid session, but (a) after the session has timed out, or (b) where no User-Name was cached from the inner tunnel session.
b) is possible due to the point below about cache size.
Try increasing the size of the cache. Try ensuring that there is always a User-Name in the inner tunnel. This user name is cached, and is checked on session resumption.
I reinstated 2.1.8 this morning after having set the cache size to infinity (was the default 255) but the problem still exists. Caching is enabled in eap.conf, but does fastreauth need to be enabled in experimental.conf? It is currently disabled. Whether this has any bearing on it I'm not sure, but this seems to be affecting users that use wpa_supplicant more, though Windows users have also reported the problem. Thanks, Jezz.