Is that the authentication for client?
Does your AP have a static IP, or is it DHCP?
Is the AP connected to a controller or is EBW?
Is the policy checking for NAS ID?
I am just thinking that after reconnect the AP is getting a new IP and the Radius packet a sourced from different IP if the policy is not checking for the NAS ID... but I am not radius expert at all...
and last but not least - go away from EAP-FAST on ISE<2.6 and iPhones 🙂 I had too much trouble with TLS version miss-match.