@Rob Ingram Yes the G2 IP is reachable by the NADs. And the AAA configuration is done to point to the G2 IP. We ran traces and the AAA requests are sent from the NADs but there is no response coming back. To test and isolate the issue - I put freerad (in the same subnet as the ISE VM) as an alternative and it is able to authenticate/authorize without any problem. So that tells me somehow ISE is not responding to the AAA requests. Looks like some configuration needs to happen which I am trying to figure out.

Appreciate any help.

@tsuthar ok so you can ping the G2 interface, but does the NAD confirm the NAD is UP - "show aaa server"?

Run tcpdump on ISE to confirm the packets reach ISE.

I assume you've defined the NADs in ISE with the correct shared secret? If not there will be no logs.

Yes all those basic config is not an issue. Just to add to what tests we ran another test here: I moved one of the NADs to a different network which can reach the G0 interface (even though its not allowed by policy but for testing purpose I managed to do it).  I changed the NAD AAA config to point to the G0 IP , the AAA is working just fine. So that tells me G2 is not able to serve the AAA requests.

@tsuthar well ISE listens for RADIUS on all interfaces, perhaps there is a bug for your patch version of ISE, have you checked?

Did you confirm whether ISE receives the RADIUS requests destined to the G2 IP address by using tcpdump?

Yes Rob. I see the radius requests coming in. See attached a snapshot.

You've mentioned about a possible bug - I have this patch applied: ise-patchbundle-2.6.0.156-Patch10-21081000.SPA.x86_64.tar.gz

Here is the livelog:

Steps

If it's sending the response on G0 - obviously the NAD won't be reachable. 

@tsuthar this message "Could not locate Network Device or AAA Client" sticks out.....

Conditions Click the magnifying glass icon in Authentications to display the steps in the Authentication Report. The logs display the following error message:
• 11007 Could not locate Network Device or AAA Client Resolution
Possible Causes The administrator did not correctly configure the network access device (NAD) type in Cisco ISE.
Resolution Add the NAD in Cisco ISE again, verifying the NAD type and settings.

https://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_troubleshooting.pdf

Are you saying the packet capture confirms it's coming from the incorrect interface IP?

Sorry Rob - was outside yesterday. 

If its a NAD issue that it should not work on when using the G0 interface. I tried re-adding the NAD type and attributes but no luck.

To your earlier question - the tcpdump shows the incoming request to the ISE on the G2 interface (correct interface) but nothing going back or no response going out on G2.

from NAD can you ping G2. 
how you connect both Interface to SW ? 

Yes, I am able to ping the G2 interface (stated earlier too) from the NAD as well as the Client. G0 is on a different network for VM-NET-MGMT (for management purpose only i.e. for users to login to ISE etc..). The G2 is on a different Network that connects into the DC Switch where the Client + NAD auth requests come in. Hope this clarifies my setup. 

@MHM Cisco World  Thanks - that was the issue. When I flipped back and forth I didn't change the IP of the NAD in the ISE. Once I corrected auth started working. Thanks for the pointer.

You are so so welcome