Hello Joel,
We've implemented the identical structure. We use the Microsoft NPS server as the Radius server. We've created several policies there, which the server processes from top to bottom. As you can see, the Meraki VoIP policy comes first. It also includes the attribute for the switch, indicating that it's a VoIP device. I'm attaching a few screenshots for you.
We use MAB for the VoIP phones and EAP TLS for the domain computers. Users are then authenticated via EAP TLS based on their domain user certificate. For this purpose, we've created groups in our AD to determine which user belongs to which VLAN. We query these groups under the conditions in the NPS server.
It's also important not to check the "Fast Authentication" box in the Meraki dashboard; this causes massive problems for us.
I hope this is now a little clearer for you.






