WiFi AP One Managment Problem

I realize I will only get part of this fixed, but have a question regarding the Balance 380 and a handful of AP Ones. The AP Ones are controlled by the Balance 380, which sits on the edge of our network outside of our Cisco ASA firewall (IP example would be - public IP). The Balance is in “Drop In” mode, and that all works flawlessly. The AP Ones are able to see the balance, which is managing them. However I’m trying to implement NPS in server 2008. It gives an error of “An Access-Request message was received from RADIUS client X.X.X.X with a Message-Authenticator attribute that is not valid.” I looked it up and it thinks the “Shared Secret” is wrong based on that message.

From testing, when the Balance 380 was on the internal network (example 192.168.1.x) I didn’t get this message. Then we moved the Balance 380 into production on it’s public IP, and suddenly the wireless piece has come to a halt due to the error. Is there something that needs forwarded/changed etc in the Balance, or unblocked on the firewall to fix this?

I don’t see why the Balance would be trying to communicate with the internal network apart from the WAPs, so not clear on if that is a place to start or not.

Thanks in advance.

Figured it out I think. There was some ICMP communication that was being blocked by the FW. I fixed that and now I have a different error, but it appears the AP One is talking with the NPS server OK.