accepting clients with expired certificates

[Norbert Wegener]

I have setup authentication against AD according to:
http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO
This works as expected.

If the client's certificate is expired, eap/tls will, of course,  fail.
In this case a guest vlan shall be assigned to the client.

Having a module, that adds the needed radius-attributes seems to work, 
if  an additional Auth-Type += Accept is added.
Doing this, the eap-tls is short-circuited and may result in a:

Incoming RADIUS packet did not have correct Message-Authenticator - dropped
message
on the client side.

Is this acceptable?
What would be the best way to handle a situation like that?

Norbert Wegener