#1 has happened to me more than once. haha.
recently had a client who's devices wouldn't authenticate to radius using eap-tls, this was a carbon copy deployment of other buildings so the guy who built the config used the same flashbackup as another building but changed interface IPs etc.
error message was that wrong protocol was used eap-peap not tls, when checking the client configuration everything was fine because they would go to another building and would authenticate just fine.!!
the culprit....termination. radius failover and termination was checked off disabling that did the trick and allowed the user to authenticate.
didn't spend hours on it but was a head scratcher for a good 30 min...