Hi Michael,
If the cert is expired on the client side, it will not respond with its identity itself.
Please check the following output on controller for more information on radius authenticaiton:
config# logging level debugging user-debug <mac-address of user>
# show auth-tracebuf mac <mac-address of client >
in case you are using IAP:
#show ap debug auth-tracebuf <mac-address of client>