Just putting this here to help out anyone that might have issues with inconsistent client AUTH between:
C9800-L 17.6.5 as WLC + Windows Server 2008-2012 NPS as AAA
I had a problem with CUs wireless clients failing auth.
Some client devices were able to auth without issues, others were not.
Issue was not exclusive to a certain manufacturer (Android/ Microsoft/ Apple etc.)
The NPS was replying with jumbo packets 1500+ MTU. Any reply of that size packet wise was a failed connection with
Client time-out reasoning.
On the RA traces, we saw that the client was initiating auth, found the AAA server, conversation began and then client deletion was scheduled due to timeout, no reply from client.
Once the MTU size was reduced from the NPS to below 1450, all clients were able to connect without problems.
Run a PCAP on the NPS, check the MTU size and if you see 1500+ MTU, reduce it from the NPS and check if clients are able to connect. This issue is not even documented by Microsoft, it was found in a random Palo Forum.