When I filter on the wireshark captures done from the 9800 for udp.port==1812 the radius access-request packets show the source address as the configured client IP I used in the radius server config. Is there another way to validate it?

I checked and re-checked the shared key, I even put in the wrong one to see the output which gave a different error message in the show aaa servers command output (it complained about bad authenticators).

I just can't get my finger on this one, I will log a ticket with Cisco today.

Btw everything works fine with the old 2504 WLC in the environment but it just doesn't with the 9800 (It is a migration that I am finishing up - guest access works perfectly but not the corporate internet which relies on the radius authentication).

I think this might be pointing to asymmetrical routing as I think I should at least be receiving a reject message or some other information if the policy on the server is not matching the received conditions/attributes. I created a new client with exactly what was required from the 9800 WLC but got the same result in the capture as if communication isn't getting back. I will check the routing in the environment to see what is happening. Maybe the packets are being received by the NPS but the reply is being sent back to another interface IP on the WLC that isn't reachable...investigations in progress

Remember the 9800 will route the request packet according to the IP routing table so "sh ip rout" will show you whether it's going out the interface you expect it to.  If not then correct the routes as required.  Obviously the server needs to be able to route back to the source of the radius requests - not necessarily always the same interface it went out of but if it's going through a firewall or NAT then asymmetric routing is likely to cause drops so generally best to make sure the outward (request) and return (reply) routing take the same path.  The server radius reply will always go back to the same IP address that the request was sent from - not "another interface IP".

> That's the thing I can verify that the radius packets are going out the correct interface. I set it manually in the config and verified this in captures.

If you have indeed verified the correct outgoing interface from packet captures then that's great but setting the radius source IP (or interface) does NOT determine which interface it will be sent out of - it only determines the source IP address of the packet.  The packet will be ROUTED based on the destination IP address of the packet and that is how the outgoing interface is selected.

So you will have to trace the packets hop by hop to make sure they're getting to the server, and that the server is replying and then hop by hop back to the WLC to see where they're getting lost.  If the server isn't replying then you need to work out why on the server.  You might be missing some optional radius config on the WLC which is causing the server to ignore the packets.

@network_eng did you manage to solve the issue? I am afraid I have experienced the same error with aaa server on 9800WLC. Any further assistance will be helpful.

The same answer applies - compare the radius packets from the old WLC side by side with the radius packets from the new WLC and see what is missing or different and then adjust the radius configuration accordingly.
Also use the logs on your radius server to determine what it doesn't like about the 9800 radius packets.

HI Can you please check once again your AAA config and make sure under :

"aaa group server radius group_name"

You have added radius server that you have created only and there is no typo or something.

Thanks.