Radius Validation server tests from the Enterprise Gateway may return a successful login using vsradiusclient_test.exe, but may fail from the Radius client\NAS.
UDP high ports closed on the firewall
The RADIUS client may choose a random UDP port to communicate to the VIP RADIUS Server on a specific port. The Radius request may originate from a high port on the client to the Enterprise Gateway server port, for example, 1815. The Enterprise Gateway server (radius) response will be sent from port 1815 to the client on the same originating port.
VIP RADIUS traffic is internal. Hence, allowing all outbound UDP traffic from the Enterprise Gateway to the originating client(s) is recommended.
Inress\egress Wireshark sample showing client using port 54658 to VIP RADIUS server port 1814: