Consider this as scenario:

Local subnet:10.5.55.0/24

Remote subnet:10.0.0.0/24

Assume the RADIUS server IP address is 10.0.0.250.

Connection is showing as failed under users and Authentication -> Radius Servers.

Usually it will fail because when the RADIUS connection is initialized from the firewall, it will see a routing table to select the route.

In this scenario, it will select the tunnel interface.

If the tunnel interface is configured with IP and if it is mentioned in the local selectors of the VPN then the connection will work fine.

If there is no IP configured in the tunnel interface, the firewall will take the random IP of any of the interfaces and try to reach the other end RADIUS server.

If the selected IP is not there in local selectors of VPN tunnel traffic will get dropped.

In order to overcome this, it is necessary to define source IP in RADIUSserver configuration as shown below:

config user radius

    edit "radiustest"

        set server "10.0.0.250"

        set secret ENC /Dp9GcJYXTBdl/CTDwyYvp8W3nefWdUdNpmYvH6vmAhgmQieZl2BcWVxc9rKhfLcE/qJNKqPLUFIgeIe/10TfNpXn5dvLzQFbt1Z5uUpSyDIVqczuNfIo7o4NxhzGaOzNqkPMsthkOenqYN81wDg8Z50WmyAA/bbDA9Wocu0sxr8KqPl8tayQr4Gbna2Hp50Iejl6A==

        set timeout 5

        set all-usergroup disable

        set use-management-vdom disable

        set nas-ip 0.0.0.0

        set acct-interim-interval 0

        set radius-coa disable

        set radius-port 0

        set h3c-compatibility disable

        set auth-type auto

        set source-ip "10.5.55.24"

        set username-case-sensitive disable

        unset group-override-attr-type

        set password-renewal enable

        set password-encoding auto

        set acct-all-servers disable

        set switch-controller-acct-fast-framedip-detect 2

        set interface-select-method auto

        unset switch-controller-service-type

        set rsso disable

        set secondary-server ''

        set secondary-secret ENC FBTTVqgH3ZqrtxkVFd2Dv3RxmSeBKfhiLODaYxGnslTyp4oHcFXKNo+hbVDtIs6ze8vJsHu+TSbLuVVrz8yhh5zMMcFjwO/qWgwIuccfeci1YBoesZQUlntWnyA7QseDcM1GxbD80Egs10Dondt09rdlSiPHN2aZRNSG6tLfICiQG4cdVcaxgtnsLR63+ZHql9P1NA==

        set tertiary-server ''

        set tertiary-secret ENC 6mW9CBPsUa/kCNBlCKDPpV9MQ9wBOhzdCXn+wAhBeYRmf0bWuIoQOD82tUVzw/axkw7vQTcRvK5FxaHELpUK90laIPxu2cKIGT3DydpdNQGXlc5f/RmhUd946C5dMcK2fxggCNAVoLS2ahDBfbq76gicKABq1jSOAym3FNcBBzJD3vCZt8silcxwGRb+8SmdqoEnDg==

    next

end     

Here, the source IP has been defined as '10.5.55.24' as the source IP, which is present in the local phase2 selectors of the VPN tunnel.

Now the RADIUS connection will be successful.

From version 7.6.0, there is a new feature to use the interface name as the source IP. Refer to this document for more detail Implement the interface name as the source IP address in RADIUS, LDAP, and DNS configurations 

Note:
Newer versions such as 7.2.10 and 7.4.5 encounter an error connecting the Radius server- Error: Invalid secret for the server hosted on Windows server machine.

On both versions, a solution has been implemented for the RADIUS vulnerability as described in CVE-2024-3596, which demands that validation. But even if enabled on the 'Access-Request message', it must contain the Message-Authenticator Attribute on the RADIUS Client Server configured from the NPS Server that is not working.

Solution:
Microsoft has already addressed this by rolling out the KB5040268. This needs to be checked on Windows Server, and if there are any pending updates, they should be installed. After that, check the connectivity and refer to this Microsoft Document.