diff --git a/src/eap-tls-common.c b/src/eap-tls-common.c
index e21e215b..9c9f68a0 100644
--- a/src/eap-tls-common.c
+++ b/src/eap-tls-common.c
@@ -116,6 +116,7 @@ struct eap_tls_state {
 	bool expecting_frag_ack:1;
 	bool tunnel_ready:1;
 	bool tls_session_resumed:1;
+	bool tls_cache_disabled:1;
 
 	struct l_queue *ca_cert;
 	struct l_certchain *client_cert;
@@ -179,7 +180,9 @@ static void __eap_tls_common_state_reset(struct eap_state *eap)
 
 		if (eap_tls->tls_session_resumed)
 			l_warn("EAP: method did not finish after successful TLS"
-				" session resumption.");
+				" session resumption.  If this repeats consider"
+				" disabling [Security].EAP-%sFastReauthentication",
+				eap_get_method_name(eap));
 	}
 
 	eap_tls->tls_session_resumed = false;
@@ -691,7 +694,7 @@ static bool eap_tls_tunnel_init(struct eap_state *eap)
 	if (eap_tls->domain_mask)
 		l_tls_set_domain_mask(eap_tls->tunnel, eap_tls->domain_mask);
 
-	if (!eap_tls_session_cache_load)
+	if (!eap_tls_session_cache_load || eap_tls->tls_cache_disabled)
 		goto start;
 
 	if (!eap_tls_session_cache)
@@ -1040,6 +1043,16 @@ int eap_tls_common_settings_check(struct l_settings *settings,
 		return -EINVAL;
 	}
 
+	snprintf(setting_key, sizeof(setting_key),
+					"%sFastReauthentication", prefix);
+
+	if (l_settings_has_key(settings, "Security", setting_key) &&
+			!l_settings_get_bool(settings, "Security",
+						setting_key, NULL)) {
+		l_error("Can't parse %s", setting_key);
+		return -EINVAL;
+	}
+
 	return 0;
 }
 
@@ -1051,6 +1064,7 @@ bool eap_tls_common_settings_load(struct eap_state *eap,
 	struct eap_tls_state *eap_tls;
 	char setting_key[72];
 	char *domain_mask_str;
+	bool bool_val;
 
 	L_AUTO_FREE_VAR(char *, value) = NULL;
 
@@ -1080,6 +1094,14 @@ bool eap_tls_common_settings_load(struct eap_state *eap,
 		l_free(domain_mask_str);
 	}
 
+	snprintf(setting_key, sizeof(setting_key),
+					"%sFastReauthentication", prefix);
+
+	if (!l_settings_get_bool(settings, "Security", setting_key, &bool_val))
+		bool_val = true;
+
+	eap_tls->tls_cache_disabled = !bool_val;
+
 	eap_set_data(eap, eap_tls);
 
 	return true;
diff --git a/src/iwd.network.rst b/src/iwd.network.rst
index d3692834..719853fa 100644
--- a/src/iwd.network.rst
+++ b/src/iwd.network.rst
@@ -281,6 +281,21 @@ connect to that network.
        domain name. An asterisk segment in the mask matches any label.  An
        asterisk segment at the beginning of the mask matches one or more
        consecutive labels from the beginning of the domain string.
+   * - | EAP-TLS-FastReauthentication,
+       | EAP-TTLS-FastReauthentication,
+       | EAP-PEAP-FastReauthentication,
+     - Values: **true**, false
+
+       Controls whether TLS session caching for EAP-TLS, EAP-TTLS and EAP-PEAP
+       is used.  This allows for faster re-connections to EAP-Enterprise based
+       networks.
+
+       Some network authenticators may be misconfigured in a way that TLS
+       session resumption is allowed but actually attempting it will cause
+       the EAP method to fail or time out.  In that case, assuming the
+       credentials and other settings are correct, every other connection
+       attempt will fail as sessions are cached and forgotten in alternating
+       attempts.  Use this setting to disable caching for this network.
    * - | EAP-TTLS-Phase2-Method
      - | The following values are allowed:
        |    Tunneled-CHAP,