I don't want to assume anything, so if it's ok, can I confirm a few things first. When you say that it is using a custom radius, is the option selected 'my Radius server' from the option under Security>Enterprise with in the Wireless>Access Control part of the dashboard?
If so, I assume that under the Radius settings you have it configured to point to the radius server, which is what I'm ultimately trying to lead you too. This could be an ISE appliance/Service or any other Radius server, but this is where I think you need to start your actual investigation as it is the configuration within the Radius server which will tell you how clients/devices are authenticating the network.
Which protocol is the policy that your clients should be matching to within the radius server (Apologies I'm using ISE terminology (I think)) EAP-TLS, PEAP, MS-CHAP...etc. How are clients/devices to authenticate, with a username/password or with a certificate, potentially both. The protocol will kinda determine which authentication method is to be used.
I know that you have said that entering credentials allows the users to login, but it may well be that users/devices are actually supposed to authenticate with certificates, but the radius also allows username/password.
I've had issue previously where computer accounts weren't located within the correct OU in AD, so a GPO which assigned the configuration for the wireless connection haven't been pushed out.
My advise is to start at the radius server, look to see how succesfull clients/devices authenticate, and look to then see why your failed clients don't automatically...I do hope that this does assist you in your investigation.
