Well if it knows the client name, it isn't a bad secret key.
There are a lot of options controlling the content of radius messages on the switch. I do not use IAS, but this was a working configuration for me the last time I played with it.
radius-server attribute 8 include-in-access-req
radius-server attribute 32 include-in-access-req
radius-server attribute 25 access-request include
radius-server attribute 61 extended
radius-server attribute 31 mac format ietf
radius-server vsa send accounting
radius-server vsa send authentication