This issue occurs due to presence of Cisco bug ID CSCsi04187.
In a multiple forest Active Directory environment Microsoft Protected Extensible Authentication Protocol (MS-PEAP), machine authentication fails to any forest ACS is not a part of if the machine name is sent in DNS format. host/ format is not supported until ACS 220.127.116.11.
For example, if ACS is in Forest1 and host/machine.com is in Forest2, authentication fails with these error messages:
CSWinAgent 03/05/2007 09:26:26 A 0063 2708 NTLIB: Could not find machine host/test.one.ads.che.org  CSWinAgent 03/05/2007 09:26:26 A 0063 2708 NTLIB: host/test.one.ads.che.org is not a valid machine name
In order to resolve this issue, there are two workarounds:
Install radius on the second forest and make ACS proxy to it.
Configure the supplicant to send the machine name in host/ format. Many supplicants do not have this option.