This is an unusual situation and I am not sure that there is a good way to get it to work. There are a few possibilities that come to mind but I am not confident that they would really work well:

- if the NMS server were locally connected to each of the routers you might get it to work by configuring your aaa on the routers to specify the IP of the Radius and configuring a static route for the Radius IP address with the NMS as the next hop. This assumes that if the Radius request got to the NMS server that the NMS server would forward it to the Radius server. But if the routers are not all locally connected to NMS (as seems likely) then the static route would not work.

- a related strategy would be to configure your aaa on the routers specifying the IP address of the Radius and configuring Policy Based Routing on all of the routers to forward Radius requests toward the NMS server. This solution assumes that you can get the NMS server to forward all Radius requests to the Radius server, and I am not not sure whether that really would work.

- another strategy might be to configure a site to site vpn between each of the routers and the NMS server, to configure aaa specifying the IP address of the Radius server, and configuring the site to site vpn so that Radius requests and responses were carried over the site to site vpn. But this also assumes that the NMS server will forward Radius requests to the server and that assumption seems questionable.

Having thought of some alternatives (which I admit are questionable) I would ask why the Radius server needs to be out of band from the routers that would use it.