Good afternoon,  we are running an ACS server which we use for RADIUS authentication of wireless clients and remote access VPN clients. We have machine authentication turned ON to ensure only computers that are part of our Active Directory can connect to the wireless network.  Although it was configured years ago, the machine authentication works about 80% of the times.  A lot of times clients can't connect to the corporate wifi and when we check the RADIUS logs, we find that the RADIUS wasn't able to confirm a previous successfull machine authentication in AD for that machine.  User authentication succeeds however but clients are denied connection since machine authentication fails. 

For machines that do get authenticated, I have the MAR aging time configured to 4382 hours.  This was done, to be honest, to lessen my own headaches so I'm not answering calls right left and center each day.

What I want to know is whether I am missing something on my side or the AD side as to why RADIUS sometimes can't confirm a successfull machine authentication for some machines.  Also I'm noticing this more and more with Windows 10 workstations. Even after multiple reboots, machines don't authenticate, as per RADIUS.  

How does RADIUS actual check for status of a workstation in AD?

Thanks