Here is the output from the log for the EAP Negotiation.
Fri Mar 31 11:56:46 2017 : Info: # Executing section authorize from file /Library/Server/radius/raddb/sites-enabled/default
Fri Mar 31 11:56:46 2017 : Info: +group authorize {
Fri Mar 31 11:56:46 2017 : Info: ++[preprocess] = ok
Fri Mar 31 11:56:46 2017 : Info: ++[chap] = noop
Fri Mar 31 11:56:46 2017 : Info: ++[mschap] = noop
Fri Mar 31 11:56:46 2017 : Info: ++[digest] = noop
Fri Mar 31 11:56:46 2017 : Info: [suffix] No '@' in User-Name = "shawn", looking up realm NULL
Fri Mar 31 11:56:46 2017 : Info: [suffix] No such realm "NULL"
Fri Mar 31 11:56:46 2017 : Info: ++[suffix] = noop
Fri Mar 31 11:56:46 2017 : Info: [eap] EAP packet type response id 255 length 111
Fri Mar 31 11:56:46 2017 : Info: [eap] Continuing tunnel setup.
Fri Mar 31 11:56:46 2017 : Info: ++[eap] = ok
Fri Mar 31 11:56:46 2017 : Info: +} # group authorize = ok
Fri Mar 31 11:56:46 2017 : Info: Found Auth-Type = EAP
Fri Mar 31 11:56:46 2017 : Info: # Executing group from file /Library/Server/radius/raddb/sites-enabled/default
Fri Mar 31 11:56:46 2017 : Info: +group authenticate {
Fri Mar 31 11:56:46 2017 : Info: [eap] Request found, released from the list
Fri Mar 31 11:56:46 2017 : Info: [eap] EAP/ttls
Fri Mar 31 11:56:46 2017 : Info: [eap] processing type ttls
Fri Mar 31 11:56:46 2017 : Info: [ttls] Authenticate
Fri Mar 31 11:56:46 2017 : Info: [ttls] processing EAP-TLS
Fri Mar 31 11:56:46 2017 : Debug: TLS Length 101
Fri Mar 31 11:56:46 2017 : Info: [ttls] Length Included
Fri Mar 31 11:56:46 2017 : Info: [ttls] eaptls_verify returned 11
Fri Mar 31 11:56:46 2017 : Info: [ttls] eaptls_process returned 7
Fri Mar 31 11:56:46 2017 : Info: [ttls] Session established. Proceeding to decode tunneled attributes.
Fri Mar 31 11:56:46 2017 : Info: # Executing section authorize from file /Library/Server/radius/raddb/sites-enabled/inner-tunnel
Fri Mar 31 11:56:46 2017 : Info: +group authorize {
Fri Mar 31 11:56:46 2017 : Info: ++[chap] = noop
Fri Mar 31 11:56:46 2017 : Info: ++[mschap] = noop
Fri Mar 31 11:56:46 2017 : Info: [suffix] No '@' in User-Name = "shawn", looking up realm NULL
Fri Mar 31 11:56:46 2017 : Info: [suffix] No such realm "NULL"
Fri Mar 31 11:56:46 2017 : Info: ++[suffix] = noop
Fri Mar 31 11:56:46 2017 : Info: ++update control {
Fri Mar 31 11:56:46 2017 : Info: ++} # update control = noop
Fri Mar 31 11:56:46 2017 : Info: [eap] EAP packet type response id 1 length 64
Fri Mar 31 11:56:46 2017 : Info: [eap] No EAP Start, assuming it's an on-going EAP conversation
Fri Mar 31 11:56:46 2017 : Info: ++[eap] = updated
Fri Mar 31 11:56:46 2017 : Info: ++[files] = noop
Fri Mar 31 11:56:46 2017 : Info: ++[expiration] = noop
Fri Mar 31 11:56:46 2017 : Info: ++[logintime] = noop
Fri Mar 31 11:56:46 2017 : Info: ++[pap] = noop
Fri Mar 31 11:56:46 2017 : Info: +} # group authorize = updated
Fri Mar 31 11:56:46 2017 : Info: Found Auth-Type = EAP
Fri Mar 31 11:56:46 2017 : Info: # Executing group from file /Library/Server/radius/raddb/sites-enabled/inner-tunnel
Fri Mar 31 11:56:46 2017 : Info: +group authenticate {
Fri Mar 31 11:56:46 2017 : Info: [eap] Request found, released from the list
Fri Mar 31 11:56:46 2017 : Info: [eap] EAP/mschapv2
Fri Mar 31 11:56:46 2017 : Info: [eap] processing type mschapv2
Fri Mar 31 11:56:46 2017 : Info: [mschapv2] # Executing group from file /Library/Server/radius/raddb/sites-enabled/inner-tunnel
Fri Mar 31 11:56:46 2017 : Info: [mschapv2] +group MS-CHAP {
Fri Mar 31 11:56:46 2017 : Info: [mschap] No Cleartext-Password configured. Cannot create LM-Password.
Fri Mar 31 11:56:46 2017 : Info: [mschap] No Cleartext-Password configured. Cannot create NT-Password.
Fri Mar 31 11:56:46 2017 : Info: [mschap] Creating challenge hash with username: shawn
Fri Mar 31 11:56:46 2017 : Info: [mschap] Client is using MS-CHAPv2 for shawn, we need NT-Password
Fri Mar 31 11:56:46 2017 : Info: [mschap] Using OpenDirectory to authenticate
Fri Mar 31 11:56:46 2017 : Info: [mschap] Doing OD MSCHAPv2 auth
Fri Mar 31 11:56:46 2017 : Info: [mschap] Authentication failed for shawn: error 5200 (0x1450): unknown error
Fri Mar 31 11:56:46 2017 : Info: ++[mschap] = reject
Fri Mar 31 11:56:46 2017 : Info: +} # group MS-CHAP = reject
Fri Mar 31 11:56:46 2017 : Info: [eap] Freeing handler
Fri Mar 31 11:56:46 2017 : Info: ++[eap] = reject
Fri Mar 31 11:56:46 2017 : Info: +} # group authenticate = reject
Fri Mar 31 11:56:46 2017 : Info: Failed to authenticate the user.
Fri Mar 31 11:56:46 2017 : Auth: Login incorrect: [shawn/<via Auth-Type = EAP>] (from client hallway port 0 via TLS tunnel)
Fri Mar 31 11:56:46 2017 : Info: Using Post-Auth-Type Reject
Fri Mar 31 11:56:46 2017 : Info: # Executing group from file /Library/Server/radius/raddb/sites-enabled/inner-tunnel
Fri Mar 31 11:56:46 2017 : Info: +group REJECT {
Fri Mar 31 11:56:46 2017 : Info: [attr_filter.access_reject] expand: %{User-Name} -> shawn
Fri Mar 31 11:56:46 2017 : Debug: attr_filter: Matched entry DEFAULT at line 11
Fri Mar 31 11:56:46 2017 : Info: ++[attr_filter.access_reject] = updated
Fri Mar 31 11:56:46 2017 : Info: +} # group REJECT = updated
Fri Mar 31 11:56:46 2017 : Info: [ttls] Got tunneled Access-Reject
Fri Mar 31 11:56:46 2017 : Info: [eap] Handler failed in EAP/ttls
Fri Mar 31 11:56:46 2017 : Debug: rlm_eap_ttls: Freeing handler for user shawn
Fri Mar 31 11:56:46 2017 : Info: [eap] Failed in EAP select
Fri Mar 31 11:56:46 2017 : Info: ++[eap] = invalid
Fri Mar 31 11:56:46 2017 : Info: +} # group authenticate = invalid
Fri Mar 31 11:56:46 2017 : Info: Failed to authenticate the user.
Fri Mar 31 11:56:46 2017 : Auth: Login incorrect: [shawn/<via Auth-Type = EAP>] (from client hallway port 0 cli E0-B5-2D-3C-BB-7B)
Fri Mar 31 11:56:46 2017 : Info: Using Post-Auth-Type Reject
Fri Mar 31 11:56:46 2017 : Info: # Executing group from file /Library/Server/radius/raddb/sites-enabled/default
Fri Mar 31 11:56:46 2017 : Info: +group REJECT {
Fri Mar 31 11:56:46 2017 : Info: ++? if ("%{EAP-Message}")
Fri Mar 31 11:56:46 2017 : Info: expand: %{EAP-Message} -> 0x02ff006f1580000000651703010060cac1037b098d368e034718494eab94aba9ec16da4b29e38 a03043a0bb89d962a03625b800020df8a687068dbc5e81539152be037ba972903472e63e345373ba 4232e88066de9fa00a9a6f844e9d135b072c18060856c93b80587b657eefeb439
Fri Mar 31 11:56:46 2017 : Info: ? Evaluating ("%{EAP-Message}") -> TRUE
Fri Mar 31 11:56:46 2017 : Info: ++? if ("%{EAP-Message}") -> TRUE
Fri Mar 31 11:56:46 2017 : Info: ++if ("%{EAP-Message}") {
Fri Mar 31 11:56:46 2017 : Info: +++update reply {
Fri Mar 31 11:56:46 2017 : Info: expand: %{Message-Authenticator} -> 0xfc3de74973bde3093ab0cc1a16195272
Fri Mar 31 11:56:46 2017 : Info: +++} # update reply = noop
Fri Mar 31 11:56:46 2017 : Info: ++} # if ("%{EAP-Message}") = noop
Fri Mar 31 11:56:46 2017 : Info: [eap] Reply already contained an EAP-Message, not inserting EAP-Failure
Fri Mar 31 11:56:46 2017 : Info: ++[eap] = noop
Fri Mar 31 11:56:46 2017 : Info: [attr_filter.access_reject] expand: %{User-Name} -> shawn
Fri Mar 31 11:56:46 2017 : Debug: attr_filter: Matched entry DEFAULT at line 11
Fri Mar 31 11:56:46 2017 : Info: ++[attr_filter.access_reject] = updated
Fri Mar 31 11:56:46 2017 : Info: +} # group REJECT = updated
Fri Mar 31 11:56:46 2017 : Info: Delaying reject of request 39 for 1 seconds
Fri Mar 31 11:56:46 2017 : Debug: Going to the next request
Fri Mar 31 11:56:46 2017 : Debug: Thread 5 waiting to be assigned a request
Fri Mar 31 11:56:46 2017 : Debug: Waking up in 0.2 seconds.
Fri Mar 31 11:56:47 2017 : Info: Sending delayed reject for request 39
Fri Mar 31 11:56:47 2017 : Debug: Waking up in 1.4 seconds.
Fri Mar 31 11:56:48 2017 : Info: Cleaning up request 24 ID 9 with timestamp +31745
Fri Mar 31 11:56:48 2017 : Debug: Waking up in 0.3 seconds.