There can be many reasons if extended authentication fails for a device, but one of the common reasons is that the Network Device Group (NDG) key takes precedence over the AAA client key.
Currently, ACS provides the ability to define a key for a whole NDG, which is then applied to all devices in that NDG. Even if the individual NAS has its own key defined, the NDG key takes precedence. This was done in order to allow users to quickly define one key for many devices, but it is not common for a group setting to automatically override an individual setting.
The current workaround is not to define a key under the NDG if you want individual keys on all NASes.
Note: A enhancement request has been opened in Cisco bug ID CSCsi92512 in order to provide the ability to override the NDG key with the NAS individual key setting.