Yeah, I fully verified the client IP addresses, even went as far as using individual IP addresses instead of a subnet. I also created an Authentication and Accounting template to ensure secret consistency and triple checking it is correct in the Meraki Access Policy. 

Yeah, the trusted root is indeed in the personal and root store on the server. 

I have gone through that article religiously over the last two weeks and still unable to get it to work. 

I am not finding anything regarding port 1812 on the NPS. I will run another scan to see. 

You're supposed to do a packet capture on the switchport leading to the NPS server while filtering on UDP port 1812 just to see if the access-request message is even reaching the NPS server and if a response is sent back.

If you have to do a dashboard capture then you will have to coordinate a test while capturing.

The Domain Controller/NPS server are in Azure. We are connected with a site-to-site VPN. I did a packet capture on "Internet 1" and "Site-to-Site VPN over Internet 1" and found no packets with port 1812.

So if you do the capture on the MX you would have to see it on the LAN side and in the site to site side if you are doing an AutoVPN to Azure.  So then you should also see the packet on the vMX.

So if you're are not seeing any packets you have a policy or routing issue.  That means the interface of the switch can't reach the NPS server.  So you'll have to check if the subnet of the switches is included in the VPN and all routing is correct.

Well, I do know for a fact that the switch can reach the NPS. In fact, if I lower my security to MSCHAPv2, I have no issues with the supplicant reaching the NPS. We also do not use a vMX.

If you are sure your routing is ok and you did the capture correctly and not see anything on UDP port 1812 leaving the switch, then you should capture the EAPoL frames on the port.  Your supplicant might not be sending EAPoL frames to the switch.

Yep, did that many times, this was my first assumption. 

That would be extremely weird since the switch is only encapsulating the EAPoL messages inside Radius and decapsulating in the return.  It does not matter what kind of EAP protocol you are using between the supplicant and the authentication server.  The only thing the switch needs in the end is an access-accept with potentially some AV pairs.

Has anyone been able to get it working? I have been on support many times and got nowhere. I myself also had a Meraki rep tell me similar things saying I should make a suggestion to the product team. I just for some reason don't buy this is the case considering this is a Cisco product we are talking about. 

As @GIdenJoe said, the whole purpose of EAP is to make the Network Access Device independent of the EAP method. At the moment, I am connected with EAP-TLS to an MS220-8P.

Are you using machine or user authentication? 

I have not, although, I plan on testing that today. As well as testing just computer authentication.