Lets check some basics (I'm assuming you are using WPA2-Enterprise mode):

• Are you running an Enterprise CA?
• Have you requested a certificate from that CA for the NPS server?
• In Policies/Network Profiles:
  • On the Overview tab tick "Ignore user account dial-in properties"
  • I normally set a "Condition" that Nas-Port-Type=Wireless
    • Under "Constraints/Authentication Methods" un-tick all methods. Add PEAP. Edit PEAP and make sure the certificate you requested above is selected. Under EAP-Types make sure only EAP-MSCHAPv2 is selected.

will try this and let you know

currently i have only added AP ip which is on different subnet compared to our corporate subnet.

so not sure if there is a point of adding the entire subnet

What connects these two subnets? Layer 3 switch, router, firewall?

Does the NPS server run antivirus that also contains a firewall?

Is Windows Firewall enabled on the NPS server? If so, has it got an exclusion for the 1812 and 1813 ports?

i might have to check the certificate its getting.

to my understanding all my settings are correct.

going through the certifcate requirement for this. let me see how i go.

For what it's worth, I was having this exact same issue with a Windows Server 2019 VM running NPS. Meraki could not connect to it, the key was right, the settings were right, everything was right. I rebooted the server and it suddenly started working.

Can I ask you this?

My MR42s gave been crapping out only on one of the radius SSIDs.

Did you notice something similar.

They could connect to NPS, but not to internet. sporadic in random parts of the building.

Is there a way to scedule weekly AP reboots all at once and I could just run them on Saturday at like 3am?

Thank you! This helped as the AP was relocated from another location and assigned new IP. I had to remove the AP from NPS and re-add with new IP/manual generated password. WORKED!