yesterday i succeed to use aaa to login and can see aaa in sh aaa session

https://murison.wordpress.com/2010/11/11/cisco-radius-configuration-with-server-2008-r2/

today i simulate again, it access denied, do not know where is wrong

a. can it use active directory user account to login cisco switch and router if i add domain user group in network policy?

    if so, why need to set user radiusclient in router with the same password as the same as in radiusclient in window server 2008?

win 192.168.2.12 ---  switch 192.168.2.5 --- 192.168.2.1 R1

R1
conf t
hostname router1
int FastEthernet0/0
ip address 192.168.2.1 255.255.255.0
no shut
end
conf t
ip route 192.168.2.0 255.255.255.0 192.168.2.5
end

enable
configure terminal
enable secret cisco
end
conf t
aaa new-model
username radiusclient privilege 15 password 0 cisco
crypto key generate rsa
ip ssh time-out 60
ip ssh version 2
line vty 0 4
transport input ssh
exit
line vty 5 15
transport input ssh
exit
ip domain-name radius1.local
radius-server host 192.168.2.12
radius-server key cisco
aaa group server radius NPSSERVER
server 192.168.2.12
exit
aaa authentication login default group NPSSERVER local
aaa authorization exec default group NPSSERVER local
exit

R2
conf t
vlan 10
int vlan 10
ip address 192.168.2.5 255.255.255.0
end
conf t
hostname router2
int FastEthernet1/0
switchport
switchport access vlan 10
switchport mode access
shutdown
no shut
end
conf t
hostname router2
int FastEthernet1/1
switchport
switchport access vlan 10
switchport mode access
shutdown
no shut
end
conf t
hostname router2
int FastEthernet1/2
switchport
switchport access vlan 10
switchport mode access
shutdown
no shut
end

R3

conf t
hostname router3
int FastEthernet0/0
ip address 192.168.2.7 255.255.255.0
no shut
end

conf t
ip route 192.168.2.0 255.255.255.0 192.168.2.5
end