the NPS server should be as follows:
create policy for IPv4 address pool (I have found that it works best to create 1 policy per subnet)
create policy for windows accounts to have access(we create a network admin group and give vendor specific attributes as follows:
Vendor code 1991, yes to permit attribute 1, decimal, 0.
Next vendor code 1991, yes, 2, whois* 1.
Next vedor code 1991, yes, 3, decimal, 0
check all encryption types.
Harder to explain, much easier to show....
try this video: https://www.youtube.com/watch?v=KAGEA7OnPvY