FreeRADIUS responds by Accept instead of Reject

UCS - Univention Corporate Server
3

I have updated our version of UCS up to the recent release 4.4 and still see the same behavior.

Here is the output of command “univention-radius-check-access”:

DEBUG: [user=TestUser; mac=None] Given username: "TestUser"
DEBUG: [user=TestUser; mac=None] Given stationId: "None"
DEBUG: [user=TestUser; mac=None] UCS@school RADIUS support is not installed
DEBUG: [user=TestUser; mac=None] Checking LDAP settings for user
DEBUG: [user=TestUser; mac=None] DENY 'uid=TestUser,cn=employees,cn=users,dc=example,dc=com'
DEBUG: [user=TestUser; mac=None] -> DENY 'cn=TestGroup,cn=team,cn=groups,dc=example,dc=com'
INFO: [user=TestUser; mac=None] Login attempt denied by LDAP settings
DEBUG: [user=TestUser; mac=None] User is not allowed to authenticate via RADIUS
DEBUG: [user=TestUser; mac=None] --- Thus access is DENIED.

However, if we use radtest tool we get the following output:

radtest TestUser <user password> ldap.example.com 1812 <radius password>

Sent Access-Request Id 200 from 0.0.0.0:49719 to 192.168.254.131:1812 length 99
        User-Name = "TestUser"
        User-Password = "<user password>"
        NAS-IP-Address = 127.0.1.1
        NAS-Port = 1812
        Message-Authenticator = 0x00
        Cleartext-Password = "<user password>"
Received Access-Accept Id 200 from 192.168.254.131:1812 to 0.0.0.0:0 length 20

If we use authentication method PAP, we get the same result:

radtest -t pap TestUser <user password> ldap.example.com 1812 <radius password>

Sent Access-Request Id 64 from 0.0.0.0:46738 to 192.168.254.131:1812 length 99
        User-Name = "TestUser"
        User-Password = "<user password>"
        NAS-IP-Address = 127.0.1.1
        NAS-Port = 1812
        Message-Authenticator = 0x00
        Cleartext-Password = "<user password>"
Received Access-Accept Id 64 from 192.168.254.131:1812 to 0.0.0.0:0 length 20

And if we use any of remaining authentication methods, everything works correct then:

radtest -t chap TestUser <user password> ldap.example.com 1812 <radius password>  

Sent Access-Request Id 220 from 0.0.0.0:52529 to 172.31.254.131:1812 length 84
        User-Name = "TestUser"
        CHAP-Password = 0x3870626f163ba6551ca9c78ec7cdc041a2
        NAS-IP-Address = 127.0.1.1
        NAS-Port = 1812
        Message-Authenticator = 0x00
        Cleartext-Password = "<user password>"
Received Access-Reject Id 220 from 172.31.254.131:1812 to 0.0.0.0:0 length 20
(0) -: Expected Access-Accept got Access-Reject

Could someone point me on misconfiguration or setting that might be the reason of the described issue?

Thank you in advance.