This question is much more a Microsoft/Windows question than a Meraki question, but I expect some of you guys have experience with NPS and may be able to help.
I have RADIUS working for AD authentication using what will be my "fallback" policy in the end. The fallback policy has a single Condition (EAP OR PEAP) and is last in the processing order.
I have added a second (first in processing order) policy that contains the same EAP OR PEAP Condition as well as a User Groups condition that should match for users who are part of the selected group (WKAdmins).
However, when I login (802.1x) as a user from our WKAdmins group, the login is successful but it uses the fallback policy. I have confirmed that the user is part of the WKAdmins group, and that the NPS Server is able to see the group membership for that user, but I don't know what else I can look at. NPS seems to be a black box, and all there is to see is the result of a request. I can see that the NP-Policy-Name used to authenticate the user is our fallback policy, but I have no way to see why, or look deeper in to that process as far as I can see.
If anyone knows of tools that would be helpful in troubleshooting, or, better yet, what I may be missing, I would greatly appreciate it.