Tracing Untraceable AD Account Lockouts
I have only just finished a call with Microsoft about exactly this, so hopefully the following information will help :)
Authentication attempts can happen at a couple of spots, and notably if you are using PEAP authentication for wireless connections, authentication negotiation also occurs through the EAPHost service.
The EAPHost service I find doesn't have fantastic authentication logging (it's miserable actually - trace file), so if for whatever reason authentication fails in EAPHost, the authentication failure attempt is logged using the somewhat generic authentication eventIDs in the event log and nothing at all in IAS Logs.
What we did discover was that a newly built RADIUS server was logging far more information in the IAS logs than our in production system. I went through an reconfigured logging through the configuration log to include accounting information (tick all the boxes in the wizard!), restarted the service and found all that missing IAS events were now being logged including MAC Addresses and SSIDs into the IAS Log files.
Hope this may help :)