diff --git a/internal/outpost/radius/eap/context.go b/internal/outpost/radius/eap/context.go
index 10e082e3c5..1e3ce0cbfd 100644
--- a/internal/outpost/radius/eap/context.go
+++ b/internal/outpost/radius/eap/context.go
@@ -14,6 +14,7 @@ type context struct {
 	settings    interface{}
 	endStatus   protocol.Status
 	endModifier func(p *radius.Packet) *radius.Packet
+	handleInner func(protocol.Payload, protocol.StateManager) (protocol.Payload, error)
 }
 
 func (ctx *context) RootPayload() protocol.Payload            { return ctx.rootPayload }
@@ -23,8 +24,8 @@ func (ctx *context) GetProtocolState(p protocol.Type) any     { return ctx.typeS
 func (ctx *context) SetProtocolState(p protocol.Type, st any) { ctx.typeState[p] = st }
 func (ctx *context) IsProtocolStart(p protocol.Type) bool     { return ctx.typeState[p] == nil }
 func (ctx *context) Log() *log.Entry                          { return ctx.log }
-func (ctx *context) HandleInnerEAP(protocol.Payload, protocol.StateManager) protocol.Payload {
-	return nil
+func (ctx *context) HandleInnerEAP(p protocol.Payload, st protocol.StateManager) (protocol.Payload, error) {
+	return ctx.handleInner(p, st)
 }
 
 func (ctx *context) ForInnerProtocol(p protocol.Type) protocol.Context {
diff --git a/internal/outpost/radius/eap/handler.go b/internal/outpost/radius/eap/handler.go
index 55bc53099c..56bbf61f72 100644
--- a/internal/outpost/radius/eap/handler.go
+++ b/internal/outpost/radius/eap/handler.go
@@ -25,16 +25,16 @@ func sendErrorResponse(w radius.ResponseWriter, r *radius.Request) {
 }
 
 func (p *Packet) HandleRadiusPacket(w radius.ResponseWriter, r *radius.Request) {
+	p.r = r
 	rst := rfc2865.State_GetString(r.Packet)
 	if rst == "" {
 		rst = base64.StdEncoding.EncodeToString(securecookie.GenerateRandomKey(12))
 	}
 	p.state = rst
 
-	rep, err := p.handleInner(r)
-	rp := &Packet{
-		eap: rep,
-	}
+	rp := &Packet{r: r}
+	rep, err := p.handleInner()
+	rp.eap = rep
 
 	rres := r.Response(radius.CodeAccessReject)
 	if err == nil {
@@ -73,11 +73,11 @@ func (p *Packet) HandleRadiusPacket(w radius.ResponseWriter, r *radius.Request)
 	}
 }
 
-func (p *Packet) handleInner(r *radius.Request) (*eap.Payload, error) {
-	st := p.stm.GetEAPState(p.state)
+func (p *Packet) handleEAP(pp protocol.Payload, stm protocol.StateManager) (*eap.Payload, error) {
+	st := stm.GetEAPState(p.state)
 	if st == nil {
 		log.Debug("Root-EAP: blank state")
-		st = protocol.BlankState(p.stm.GetEAPSettings())
+		st = protocol.BlankState(stm.GetEAPSettings())
 	}
 
 	nextChallengeToOffer, err := st.GetNextProtocol()
@@ -91,8 +91,8 @@ func (p *Packet) handleInner(r *radius.Request) (*eap.Payload, error) {
 	next := func() (*eap.Payload, error) {
 		st.ProtocolIndex += 1
 		st.TypeState = map[protocol.Type]any{}
-		p.stm.SetEAPState(p.state, st)
-		return p.handleInner(r)
+		stm.SetEAPState(p.state, st)
+		return p.handleEAP(pp, stm)
 	}
 
 	if _, ok := p.eap.Payload.(*legacy_nak.Payload); ok {
@@ -101,14 +101,17 @@ func (p *Packet) handleInner(r *radius.Request) (*eap.Payload, error) {
 		return next()
 	}
 
-	np, t, _ := emptyPayload(p.stm, nextChallengeToOffer)
+	np, t, _ := emptyPayload(stm, nextChallengeToOffer)
 
 	ctx := &context{
-		req:         r,
+		req:         p.r,
 		rootPayload: p.eap,
 		typeState:   st.TypeState,
 		log:         log.WithField("type", fmt.Sprintf("%T", np)).WithField("code", t),
-		settings:    p.stm.GetEAPSettings().ProtocolSettings[t],
+		settings:    stm.GetEAPSettings().ProtocolSettings[t],
+		handleInner: func(pp protocol.Payload, sm protocol.StateManager) (protocol.Payload, error) {
+			return p.handleEAP(pp, sm)
+		},
 	}
 	if !np.Offerable() {
 		ctx.log.Debug("Root-EAP: protocol not offerable, skipping")
@@ -117,7 +120,7 @@ func (p *Packet) handleInner(r *radius.Request) (*eap.Payload, error) {
 	ctx.log.Debug("Root-EAP: Passing to protocol")
 
 	res := p.GetChallengeForType(ctx, np, t)
-	p.stm.SetEAPState(p.state, st)
+	stm.SetEAPState(p.state, st)
 
 	if ctx.endModifier != nil {
 		p.endModifier = ctx.endModifier
@@ -138,6 +141,10 @@ func (p *Packet) handleInner(r *radius.Request) (*eap.Payload, error) {
 	return res, nil
 }
 
+func (p *Packet) handleInner() (*eap.Payload, error) {
+	return p.handleEAP(p.eap, p.stm)
+}
+
 func (p *Packet) GetChallengeForType(ctx *context, np protocol.Payload, t protocol.Type) *eap.Payload {
 	res := &eap.Payload{
 		Code:    protocol.CodeRequest,
diff --git a/internal/outpost/radius/eap/packet.go b/internal/outpost/radius/eap/packet.go
index e249c8a2c3..23f33f0cd9 100644
--- a/internal/outpost/radius/eap/packet.go
+++ b/internal/outpost/radius/eap/packet.go
@@ -9,6 +9,7 @@ import (
 )
 
 type Packet struct {
+	r           *radius.Request
 	eap         *eap.Payload
 	stm         protocol.StateManager
 	state       string
diff --git a/internal/outpost/radius/eap/protocol/context.go b/internal/outpost/radius/eap/protocol/context.go
index 539e2b6f4e..ff019e63b5 100644
--- a/internal/outpost/radius/eap/protocol/context.go
+++ b/internal/outpost/radius/eap/protocol/context.go
@@ -24,7 +24,7 @@ type Context interface {
 	SetProtocolState(p Type, s interface{})
 	IsProtocolStart(p Type) bool
 
-	HandleInnerEAP(Payload, StateManager) Payload
+	HandleInnerEAP(Payload, StateManager) (Payload, error)
 	EndInnerProtocol(Status, func(p *radius.Packet) *radius.Packet)
 
 	Log() *log.Entry
diff --git a/internal/outpost/radius/eap/protocol/peap/payload.go b/internal/outpost/radius/eap/protocol/peap/payload.go
index 865ba7d044..955c3fe58e 100644
--- a/internal/outpost/radius/eap/protocol/peap/payload.go
+++ b/internal/outpost/radius/eap/protocol/peap/payload.go
@@ -26,7 +26,7 @@ type Payload struct {
 
 	eap      *eap.Payload
 	st       *State
-	settings *Settings
+	settings Settings
 	raw      []byte
 }
 
@@ -74,7 +74,7 @@ func (p *Payload) Handle(ctx protocol.Context) protocol.Payload {
 	defer func() {
 		ctx.SetProtocolState(TypePEAP, p.st)
 	}()
-	p.settings = ctx.ProtocolSettings().(*Settings)
+	p.settings = ctx.ProtocolSettings().(Settings)
 
 	rootEap := ctx.RootPayload().(*eap.Payload)
 
@@ -99,7 +99,11 @@ func (p *Payload) Handle(ctx protocol.Context) protocol.Payload {
 		}
 	}
 
-	return ctx.HandleInnerEAP(ep, p)
+	res, err := ctx.HandleInnerEAP(ep, p)
+	if err != nil {
+		ctx.Log().WithError(err).Warning("PEAP: failed to handle inner EAP")
+	}
+	return res
 }
 
 func (p *Payload) GetEAPSettings() protocol.Settings {
diff --git a/internal/outpost/radius/eap/protocol/peap/settings.go b/internal/outpost/radius/eap/protocol/peap/settings.go
index 2d9d21ba48..63afee070e 100644
--- a/internal/outpost/radius/eap/protocol/peap/settings.go
+++ b/internal/outpost/radius/eap/protocol/peap/settings.go
@@ -11,6 +11,6 @@ type Settings struct {
 	InnerProtocols protocol.Settings
 }
 
-func (s *Settings) TLSConfig() *tls.Config {
+func (s Settings) TLSConfig() *tls.Config {
 	return s.Config
 }
diff --git a/internal/outpost/radius/eap/protocol/tls/settings.go b/internal/outpost/radius/eap/protocol/tls/settings.go
index e8fb928971..07a3faf308 100644
--- a/internal/outpost/radius/eap/protocol/tls/settings.go
+++ b/internal/outpost/radius/eap/protocol/tls/settings.go
@@ -16,6 +16,6 @@ type Settings struct {
 	HandshakeSuccessful func(ctx protocol.Context, certs []*x509.Certificate) protocol.Status
 }
 
-func (s *Settings) TLSConfig() *tls.Config {
+func (s Settings) TLSConfig() *tls.Config {
 	return s.Config
 }