aaa new-model

aaa group server radius <Radius group name>
server-private <NPS server1 IP> auth-port 1812 acct-port 1813 key 7 ************
server-private <NPS server2 IP> auth-port 1812 acct-port 1813 key 7 ***********
ip radius source-interface Vlan89

aaa authentication login default group <Radius group name>
aaa authorization exec default group AM-Radius if-authenticated

This config does work interns of me logging into my switch using my Windows credentials  

So the source address in using vlan 89. This is working fine as in I could log in my self against NPS to this switch. Also NPS does log the failed attempts the switch try's on its own. 

Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
Called Station Identifier: -
Calling Station Identifier: 127.0.0.3

NAS:
NAS IPv4 Address: <Correct switch IP>
NAS IPv6 Address: -
NAS Identifier: -
NAS Port-Type: Virtual
NAS Port: 1

Reason: Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.

It's strange because this is the exact same config I use on other switches in my environment.

Hello George,

I am using Server 2016 as a Network Policy Server. Thanks for the 127.0.0.x explanation, I wasn't sure where that was coming from. I suppose I could create an access list to stop this but I am more concerned with what exactly is causing this behavior. But of course if I can't find a solution I will resort to the ACL

indeed i was noticed same for 127.x.x.x , but as orginally mentioned all otehr switches working (is the same kind of address ?)

May 14 13:55:02.250: RADIUS: Calling-Station-Id [31] 11 "127.0.0.3"

can you compare other working config, change the source address to use correct one. did NPS has this entry ? or what IP address has for others ?

So other switch do not send authentication unless I try to actually log into the them. That's why I am not able to compare them on NPS. When I do authenticate to a switch the Calling station ID in NPS is the IP address of the computer from which I started my SSH session.

Example

Calling Station Identifier: 192.168.100.160 (My IP address I'm logging into the switch via SSH)

So when we see 127.x.x.x it is as if it's starting it's own session without a username to NPS. But the AAA settings are exactly the same on all of my switches. 

Can you post full configuration (removing the password to look the config )  - the device not working.

Here is the config with all personal info removed

Appoligies, i may misread some of your infomation here. i was in impression that you were not able to login.

But one of the post you mentioned you able to connect to switch and you only see odd logs from 127.x.x.x is this correct

Then what @Georg Pauwen suggest is good option for you.