@sicelo: Problem is of course in eapd daemon. This daemon uses openssl for all crypto stuff. So there are two options how to fix this bug:

1) Rewrite eapd and fix that bug directly in eapd.
2) Drop that optional AVP message in openssl layout and so eapd will now know about it

Technically second option should be easier, compile openssl in debug mode and dump all messages. See which one is that AVP type 12 and patch openssl to drop/ignore it.

If you will be able to do that I could accept patch/hack based on getpid() for openssl to CSSU which drop that message only for eapd process.

This should be possible and maybe also easy to implement. You just need that MS server for testing (which I do not have).