Hi  @SHA2 

Thanks for posting here.

Is the 802.11r (Fast BSS Transition) feature enabled?

If your AP has 802.11r enabled, terminals may skip the full EAP authentication process with the FreeRADIUS server during reassociation and instead use cached PMKSA keys to establish a quick connection.

Protocol Mechanism:
The normal EAP-TLS authentication process includes steps such as Auth, Assoc, RADIUS interaction, and EAPOL key negotiation. However, when 802.11r is enabled, terminals only need to complete Auth and Assoc to quickly connect, bypassing reauthentication with the RADIUS server. As a result, even if the certificate is revoked, the AP may still allow terminal access using cached PMKSA keys.

If 802.11r is not enabled, please let us know.