Disclaimer
Radius usually works with the “mschap” protocol in UCS. This authentication method does not support all special characters. Probably the easiest approach would be to configure wireless clients to use WPA with PEAP and MSCHAPv2 for authentication.
If you prefer to switch to TLS, this could be accomplished using UCR variables. However, it is important to note that the currently available Radius version 3.0.17 only reliably supports TLS up to version 1.2. If there are clients that require TLS>=1.3 or only support mschap, you would exclude them from authentication. It should be noted here that as of Windows 11 22H2 only TLS is permitted.
Solution
ucr set freeradius/conf/auth-type/mschap=false ucr set freeradius/conf/auth-type/ttls=true ucr set freeradius/conf/tls-max-version='1.2'