Check that your client has a certificate to authenticate. And you're using the correct XML
Check that you've done the following:
Told your RADIUS Server which certificates are allowed to connect as described here
Imported the active RADIUS Server certificate as trusted root on your client as described here
if you see something like this in your Logs:
Mon Jul 12 12:38:09 2021 : ERROR: (14872) eap_tls: ERROR: SSL says error 20 : unable to get local issuer certificateMon Jul 12 12:38:09 2021 : ERROR: (14872) eap_tls: ERROR: TLS Alert write:fatal:unknown CAMon Jul 12 12:38:09 2021 : Error: tls: TLS_accept: Error in errorMon Jul 12 12:38:09 2021 : Auth: (14872) Login incorrect (eap_tls: SSL says error 20 : unable to get local issuer certificate): [host/8dc38402-20fb-41db-a8f3-4e4e95637173/<via Auth-Type = eap>] (from client contoso port 1 cli 18-9K-EA-0H-7F-C5)
It can be one of this options:
Your RADIUS server don't know the issuer of the certificate which was used for authentication. Add your CA as described here.
Your Client don't know the Server certificate and rejects the connection. Check that you've added your Server certificate as described here.
You've changed/added a new Server certificate and your XML profile on the client is wrong. Check that you've generated your XML after adding the certificates and push that to your clients.
If you can see something like this in your Logs:
Wed Apr 7 08:14:39 2021 : Auth: (312) Login incorrect (eap_tls: TLS Alert write:fatal:decrypt error): [host/00128t09-cbna-469c-9768-2783d28eikl9/<via Auth-Type = eap>] (from client cygate-se port 1 cli 84-FD-D1-8C-0E-33)Wed Apr 7 08:14:41 2021 : ERROR: (320) eap_tls: ERROR: TLS Alert write:fatal:decrypt errorWed Apr 7 08:14:41 2021 : Error: tls: TLS_accept: Error in error
... then it is probably a bug of the TPM software on your Windows machines. More information on that can be found in the SCEPman documentation.