I would try to capture (packet capture) the authentication packets to see why the authentication became stale => I expect that some packets are being lost. The question is where = client to ap, or AP to controller, or controller to radius server. (Can be configured as SITE = AP to radius server directly).
Regards
ZdenÄk Pala