Hi
I can see why you might want to offer this at it aids in self-diagnosis of connection problems.
However, AAA servers historically (as any other security server) do not tend to offer clues as to the reason for an authentication failure.
Also AD will only give back a failure code, the AAA server then has to map the failure code to a readable string - then you get interpretation issues etc
Technically there is no reason why a Reply-Message attribute cant be included in the final Authentication-Reject message, or even inside the PEAP tunnel. But asking for a protocol change would be harder than getting blood from a stone!
Darran