Ok glad to hear that PEAP works as expected on your side as well.
Our DE team looked at the traces I collected and see that the 8821 phone is sending a TLS 1.2 ClientHello, but instead of the WLC/AP coming back to negotiate down to TLS 1.0, it send...
FYI, I was able to downgrade a WLC3500 to 126.96.36.199 with an AP3800 connected and I was then able to reproduce the reported local EAP-FAST interop issue using a 8821 phone running 11.0.5SR2.2 fw.
Note, that both PEAP-MSCHAPV2 and PEAP-GTC worked fine ...
Yes, seems the issue is due to TLS 1.2 for WLAN authentication, which was introduced in 11.0(5) release for 8821 phones.
I found that TLS 1.2 for EAP-FAST was included in WLC version 188.8.131.52, but that version is not available for the WLC2500...
TLS 1.2 for WLAN authentication was added in 11.0(5) for 8821 phones.
And 8821 supports the latest ciphers would shouldn’t be an issue there.
Suggest to open a support case with Cisco TAC for further troubleshooting.