It is assumed there are no connectivity issues and that the access-requests are successfully reaching FortiAuthenticator:

exe tcpdump -i port1 port 1812
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on port1, link-type EN10MB (Ethernet), snapshot length 262144 bytes
12:04:45.654662 IP 10.191.19.149.4825 > 10.5.20.234.radius: RADIUS, Access-Request (1), id: 0x12 length: 169
12:05:20.375736 IP 10.191.19.149.19122 > 10.5.20.234.radius: RADIUS, Access-Request (1), id: 0x13 length: 169
12:05:21.604248 IP 10.191.19.149.23409 > 10.5.20.234.radius: RADIUS, Access-Request (1), id: 0x14 length: 169
^C

This event is logged when the source IP address of a request does not match the client IP address configured on FortiAuthenticator:

2025-01-08T12:04:45.655081+01:00 fortiauth radiusd[3255]: Ignoring request to auth address * port 1812 bound to server default from unknown client 10.191.19.149 port 4825 proto udp

This can occur if the client IP configured on FortiAuthenticator is incorrect and does not match the actual source IP of the request, if there is NATing in between, or if a specific source IP is configured:

config user radius
    edit "fac-aws"
        set source-ip "10.191.19.149"
    next
end

Ensure that the RADIUS client IP configured on FortiAuthenticator is correct. In this example, the actual source IP of the request is 10.191.19.149, not 10.191.19.150 as configured on FortiAuthenticator.

If a certain source IP needs to be used, 'set source-ip', and make sure the correct one is set on both sides, client and FortiAuthenticator.