clients on other site fail to authenticate on wifi via radius on NPS w2016

hello all,

i have this issue with my radius based wifi authentication.

a multisite domain with 3 dcs. sites are linked with a ptp vpn tunnel (sonicwall), with no filters.

the ca distributed its root certificate in all the domain pcs and servers, 

site A, 192.168.0.0/24:

2 w2008r2 dcs, 1 w2016 nap server with ca onboard; auth policy on domain "unifi" computer group and domain "unifi" user group.

15 ubiquiti access points on same lan, correctly set as radius clients on nps.

in this site the wifi authentication work like a charm; i decided for now to authenticate only domain computers, and everyone is connecting with no doubt with peap ms-chap-v2

site B, 192.168.1.0/24:

1 w2008r2 dc

3 ubiquiti access points on same lan, correctly set as radius clients on nps

in this site the wifi authentication, even if set up with same parameters, does not work.

i can see an audit failure on my nps (id 6273), that let me see no authentication with computer, but with domain user.

the same computer works in site A, not in site B.

i need to authenticate with domain computers on site B; any suggest on what to see?

EVENT:

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          05/06/2018 16:08:31
Event ID:      6273
Task Category: Network Policy Server
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      nps01.xxx.it
Description:
Network Policy Server denied access to a user.

Contact the Network Policy Server administrator for more information.

User:
Security ID:XXX\first.last
Account Name:XXX\first.last
Account Domain:XXX
Fully Qualified Account Name:xxx.it/OU/first.last

Client Machine:
Security ID:NULL SID
Account Name:-
Fully Qualified Account Name:-
Called Station Identifier:AA-BB-CC-DD-EE-FF:site2-wlan
Calling Station Identifier:00-11-22-33-44-55

NAS:
NAS IPv4 Address:-
NAS IPv6 Address:-
NAS Identifier:1234567890
NAS Port-Type:Wireless - IEEE 802.11
NAS Port:0

RADIUS Client:
Client Friendly Name:unifi-ap-site2
Client IP Address:192.168.1.5

Authentication Details:
Connection Request Policy Name:Use Windows authentication for all users
Network Policy Name:Connections to other access servers
Authentication Provider:Windows
Authentication Server:nps01.XXX.it
Authentication Type:EAP
EAP Type:-
Account Session Identifier:-
Logging Results:Accounting information was written to the local log file.
Reason Code:65
Reason:The Network Access Permission setting in the dial-in properties of the user account in Active Directory is set to Deny access to the user. To change the Network Access Permission setting to either Allow access or Control access through NPS Network Policy, obtain the properties of the user account in Active Directory Users and Computers, click the Dial-in tab, and change Network Access Permission.