When this happens can you see the device showing up in the user-table ?
Do you get a valid IP address or a 169.x.x.x ?
Do see the eap request making it to the radius server ? , can you run the show auth-tracebuf to see that process or check the auth logs in NPS ?
Does happen on a certain VLAN ?
You should try enabling logging level debugging security subcat aaa on the controller this might tell whats going on when this occurs