Clients abort 4-way handshake, RSN IE different in message 3/4

I'm trying to setup WPA2-EAP on radio 2 of an ea9500. As far as I can tell from the radius server's logs, everything was going fine (I can see the Access-Accept being sent), but clients would never finish connecting. After turning on wpa_supplicant logging to the max, I found the following message on the client:

WPA: decrypted EAPOL-Key key data - hexdump(len=48): [REMOVED]
wlp4s0: State: 4WAY_HANDSHAKE -> 4WAY_HANDSHAKE
wlp4s0: WPA: RX message 3 of 4-Way Handshake from 60:38:e0:8a:3b:60 (ver=2)
WPA: IE KeyData - hexdump(len=48): 30 14 01 00 00 0f ac 04 01 00 00 0f ac 04 01 00 00 0f ac 01 00 00 dd 16 00 0f ac 01 01 00 4a 61 6e f8 4c cf b5 98 39 a6 bb 1b d5 1e 10 89 dd 00
WPA: RSN IE in EAPOL-Key - hexdump(len=22): 30 14 01 00 00 0f ac 04 01 00 00 0f ac 04 01 00 00 0f ac 01 00 00
WPA: GTK in EAPOL-Key - hexdump(len=24): [REMOVED]
wlp4s0: WPA: IE in 3/4 msg does not match with IE in Beacon/ProbeResp (src=60:38:e0:8a:3b:60)
WPA: RSN IE in Beacon/ProbeResp - hexdump(len=22): 30 14 01 00 00 0f ac 04 01 00 00 0f ac 04 01 00 00 0f ac 01 01 00
WPA: RSN IE in 3/4 msg - hexdump(len=22): 30 14 01 00 00 0f ac 04 01 00 00 0f ac 04 01 00 00 0f ac 01 00 00
wlp4s0: Request to deauthenticate - bssid=60:38:e0:8a:3b:60 pending_bssid=00:00:00:00:00:00 reason=17 (IE_IN_4WAY_DIFFERS) state=4WAY_HANDSHAKE
TDLS: Tear down peers
wpa_driver_nl80211_deauthenticate(addr=60:38:e0:8a:3b:60 reason_code=17)

Digging into the RSN IE, there's a very old email exchange on the hostapd email list on infradead indicating that there was a bug in the madwifi driver that could cause this, but that driver has long since been deprecated.

There's only one bit that differs between the two RSN IEs, and annoying it's only described as "Reserved". So I guess my question is, why might the beacon be setting this reserved bit and how do I get it to stop?

Below is the hostapd configuration:

driver=nl80211
logger_syslog=127
logger_syslog_level=2
logger_stdout=127
logger_stdout_level=2
country_code=US
ieee80211d=1
ieee80211h=1
hw_mode=a
beacon_int=100
channel=149


ieee80211n=1
ht_coex=0
ht_capab=[HT40+][SHORT-GI-20][SHORT-GI-40][DSSS_CCK-40]
vht_oper_chwidth=0
vht_oper_centr_freq_seg0_idx=151
ieee80211ac=1
vht_capab=[SHORT-GI-80][MU-BEAMFORMER][MU-BEAMFORMEE][MAX-A-MPDU-LEN-EXP0][VHT-LINK-ADAPT-3]

interface=wlan2
ctrl_interface=/var/run/hostapd
ap_isolate=1
bss_load_update_period=60
chan_util_avg_period=600
disassoc_low_ack=1
preamble=1
wmm_enabled=0
wme_enabled=0
ignore_broadcast_ssid=0
uapsd_advertisement_enabled=1
utf8_ssid=1
multi_ap=0
nas_identifier=ea9500
auth_server_addr=10.0.0.1
auth_server_port=1812
auth_server_shared_secret=testing123
eapol_key_index_workaround=1
ieee8021x=1
auth_algs=1
wpa=2
wpa_pairwise=CCMP
ssid=802.11-EAP Test
bridge=br-lan
wpa_disable_eapol_key_retries=0
wpa_key_mgmt=WPA-EAP
okc=0
disable_pmksa_caching=1
bssid=60:38:e0:8a:3b:60

OP, did you ever got to the bottom of this?

No. Gave up on it after a while.