So you're saying that the NPS is a server hosted in Azure, which you presumably reach through an IPsec tunnel?
If so, check if your IPsec tunnel interface has an IP configured:
show sys interface remote-win | grep "set ip"
If there's no IP, that's the usual reason why traffic like this doesn't work.
There are two solutions to this:
1, Specific to this RADIUS object: Set source-IP for it
config user radius
set source-ip <some-ip>
The source-IP should be an IP owned by the FortiGate (usually a "LAN-side" interface's IP), and it should also be an IP that NPS expects to talk to it. (remembering that in NPS you have a list of permitted clients + potentially source-IP restrictions in Connection Request Policies)
2, General solution for all local-out traffic: Set an IP for the tunnel interface.
Simply edit the VPN interface and give it an IP. There are additional configuration steps you may have to consider:
- Routing: the Azure side of the tunnel should recognize the new IP and know that it is reachable through the tunnel.
- Firewall policies: The Azure side needs to know that this traffic is permitted to pass.
- IPsec traffic selectors: There must be an IPSEC ESP SA that allows packets coming to/from this IP. If your selectors are 0.0.0.0/0->0.0.0.0/0, or they already include the new IP, you're good to go. Otherwise you may need to add a new phase2 to ensure this is allowed to pass through.
[ corrections always welcome ]