I am attempting to deploy 802.1x to my VPN sites, my NPS has the ports allowed on both inbound and outbound rules.

I am using 1812 for Authentication and 1813 for accounting (although 1645, 1646 are also allows on the NPS ports)

On a Cisco 3850-48P (139.139.210.18) on interface G1/0/21 I have a machine and a phone.

If I configure 802.1x here at my campus (a network which is directly connected to RADIUS I can authenticate no problems. So it is not a server issue.

The phone is only authenticating since i have the "trust device cisco-phone" command enabled. 

Interface info:

description USER_DOT1X
switchport access vlan 120
switchport mode access
switchport voice vlan 3120
trust device cisco-phone
authentication control-direction in
authentication event fail retry 3 action authorize vlan 65
authentication event server dead action authorize vlan 120
authentication event no-response action authorize vlan 67
authentication host-mode multi-domain
authentication order mab dot1x
authentication port-control auto
authentication timer restart 65535
authentication violation restrict
mab
no snmp trap link-status
dot1x pae authenticator
spanning-tree portfast

I can ping my server (147.36.34.164), and I quadruple checked that the shared-secrets were identical.

Once 802.1x is enabled, the debugging capture authenticates the phone due to it being a "trusted device" but still says "Check network" the machine does not authenticate. Here is my output: **I have omitted irrelevant lines** 

See attached for the full notepad log and other commands.