To connect to a WLAN, devices use a AAA profile which specifies a default 802.1x role, which is what clients get by default when they connect via 802.1x. In that AAA profile, there is a 802.1x profile if "Enforce Machine Authentication" is enabled, will allow you to place domain devices in one role and other devices that attach in another role.
To make a long story short, you are probably using "Enforce Machine Authentication" on your regular WLAN and on your RAP WLAN, you are not. To find out:
On the commandline, type "show user-table verbose" and find a user on a RAP. In the "profile" column indicates the AAA profile of that user. In the GUI, go to configruation> security> Authentication. Under AAA profile, find the profile that you saw in the step above and click on the name of that profile. In the right pane, you should see the 802.1x profile attached to that AAA profile. Find that 802.1x profile by clicking on the Layer-2 Authentication Tab > 802.1x Profile> and look for that 802.1x profile you saw before. Click on the profile and see if "Enforce Machine Authentication" is checked. If not, that is why you have your issue at your remote site.