Yes, that's the logs I'm checking. The NPS basically just says The RADIUS Request message that Network Policy Server received from the network access server was malformed.

Looking at the message everything looks normal. Called Station ID is okay, correct policy is hit.

I checked now and the strange thing is sometimes I can se that access is granted, but the request itself looks exactly the same.. I've tried re-applying the config several times and even updated the client secret just to make sure. I just can't seem to find what the cause is.

Perform a packet capture on the upstream switch/AP VLAN and check for RADIUS packets with lengths different from the actual captured packet length, verifying the decoding of malformed RADIUS packets in Wireshark and checking for UDP fragmentation (common in EAP versions that exceed the MTU).

Even a VPN path that hasn't changed can still experience fragmentation if the new NPS server has a slightly different TLS handshake length.

I'm not using any proxy, I have the radius clients configured in the NPS by network for the management lan. I created a new NPS secret yesterday just to make sure there was no whitespace och special characters etc but no change.

We have a VPN to 2 VMXs in an Azure WAN with secured hubs. But this setup has worked without issues for at least 3 years.

When I got in this morning the whole thing got a lot more strange. I had updated 2 sites yesterday, this morning I updated 2 more. Now all of a sudden the issue has shifted to the NPS server that was working flawlessly yesterday.

So now my new server is granting access like nobodies business but the other one is discarding..  I'll have to do some kind of packet capture deep dive but now I'm 90% certain something fishy is going on in my Meraki dashboard..