For one of our customer, we are implementing 802.1X solution for wired and wireless clients, for windows, domain joined devices.
WLAN : Cisco WLC
RADIUS cert : Signed by public CA.
802.1X configuration on client : Through GPO
During implementation we came across a TLS session error as shown below:
All the client got rejected on the ClearPass with the error code 215. On the access tracker > alerts we saw below information:
Alerts –
Error Code: 215
Error Category: Authentication failure
Error Message: TLS session error
Alerts for this Request –
RADIUS: EAP-PEAP:fatal alert by client – access_denied\nTLS session reuse error
Observation:
1. Authentication was successful Before GPO update on client.
2. Authentication failure – After GPO update on client
We took a packet capture on client before GPO push and after GPO pushes.
+++ We took .ETL file on client for EAP analysis.
Below capture taken after GPO push. It is trying to change Cipher spec on secure socket layer.

PCAP taken before pushing the GPO. Client is able to authenticate successfully.

From our lab testing we found, this happens only when client is selected with Notification before connect is set to ask users to authorize new servers or trusted root Trusted certificate authority was not selected on Client.
PEAP configuration includes an option that prevents the user from being prompted for certificate validation. This is the Do not prompt user to authorize new servers or trusted root certification authorities option. By default, this option is disabled. If you enable this option, the user is not presented with the UI that may be difficult for the user to understand. Therefore, the user cannot select an unapproved root certification authority.
To overcome this problem:
We have to select trusted root certificate authorities on all the clients.
Since our servers RADIUS certificates are signed by public CA. We need to select same root certificate authorities on all the clients (We could push this configuration through GPO).

OR
Select user if the servers identity can’t be verified.
Hope this helpful ! Cheer !
Prashant Harnal