RADIUS – Test Works but Actual Logon Fails

Let me start by putting my issue into one sentence:

I have a Catalyst 4507 and I can't log onto it using RADIUS even though the configuration is the same as a Catalyst 3850 which is working and testing RADIUS using the IOS-XE tests in the 4507 is successful. What could be the problem?

I successfully configured a Catalyst 3850 to use a Windows Server 2008 R2 NPS server for RADIUS. I mostly replicated that configuration on a Catalyst 4507 (adjusted for platform differences) and when I run test aaa group on the 4507, the test succeeds. When I try to actually log on to the 4507 with an account that needs RADIUS to authenticate, it fails. It looks like the failure on logon is a timeout contacting the RADIUS server, but I can't figure out why the authentication request would work differently between the test and the actual logon.

Here's some config, test, and output:

Config

Version:

#show ver
Cisco IOS Software, IOS-XE Software, Catalyst 4500 L3 Switch  Software
 (cat4500es8-UNIVERSALK9-M), Version 03.08.02.E RELEASE SOFTWARE (fc2)

Management Interface (from which RADIUS requests must be sent):

!
interface FastEthernet1
 vrf forwarding mgmtVrf
 ip address yy.yy.yy.yy 255.255.255.0
 speed auto
 duplex auto
!

AAA Config:

#show run aaa
!
aaa authentication login default local group radius
aaa authorization exec default local group radius
aaa accounting exec default start-stop group radius
aaa accounting delay-start
username XXXX privilege 15 secret 5 XXXX
!
!
radius server NPSSERVER
 address ipv4 xx.xx.xx.xx auth-port 1645 acct-port 1646
 key 7 XXXX
!
!
aaa group server radius RADIUSGROUP
 server name NPSSERVER
 ip vrf forwarding mgmtVrf
 ip radius source-interface FastEthernet1
!
!
aaa new-model
aaa session-id common
!

Tests

Cleared counters:

#show aaa servers

RADIUS: id 1, priority 1, host xx.xx.xx.xx, auth-port 1645, acct-port 1646
 State: current UP, duration 2157s, previous duration 0s
 Dead: total time 0s, count 13
 Quarantined: No
 Authen: request 0, timeouts 0, failover 0, retransmission 0
         Response: accept 0, reject 0, challenge 0
         Response: unexpected 0, server error 0, incorrect 0, time 0ms
         Transaction: success 0, failure 0
         Throttled: transaction 0, timeout 0, failure 0

RADIUS Test and Counters:

#test aaa group RADIUSGROUP username@domain.com XXXXXX new-code

User successfully authenticated

USER ATTRIBUTES

service-type         0   7 [NAS Prompt]
priv-lvl             0   15 (0xF)

#show aaa servers

RADIUS: id 1, priority 1, host xx.xx.xx.xx, auth-port 1645, acct-port 1646
 State: current UP, duration 2278s, previous duration 0s
 Dead: total time 0s, count 13
 Quarantined: No
 Authen: request 1, timeouts 0, failover 0, retransmission 0
         Response: accept 1, reject 0, challenge 0
         Response: unexpected 0, server error 0, incorrect 0, time 4ms
         Transaction: success 1, failure 0
         Throttled: transaction 0, timeout 0, failure 0

Login Attempt and Counters:

login as: username@domain.com
Using keyboard-interactive authentication.
Password:
Access denied


#show aaa servers

RADIUS: id 1, priority 1, host xx.xx.xx.xx, auth-port 1645, acct-port 1646
 State: current UP, duration 2436s, previous duration 0s
 Dead: total time 0s, count 13
 Quarantined: No
 Authen: request 5, timeouts 4, failover 0, retransmission 3
         Response: accept 1, reject 0, challenge 0
         Response: unexpected 0, server error 0, incorrect 0, time 4ms
         Transaction: success 1, failure 1
         Throttled: transaction 0, timeout 0, failure 0

Here's the output from debug aaa authentication during a failed logon attempt:

*Dec  2 19:35:48.817: AAA/BIND(00000041): Bind i/f
*Dec  2 19:35:48.817: AAA/AUTHEN/LOGIN (00000041): Pick method list 'default'
*Dec  2 19:36:02.322: %RADIUS-4-RADIUS_DEAD: RADIUS server x.x.x.x:1645,1646 is not responding.
*Dec  2 19:36:02.322: %RADIUS-4-RADIUS_ALIVE: RADIUS server x.x.x.x:1645,1646 is being marked alive.
*Dec  2 19:36:14.379: AAA/AUTHEN/LOGIN (00000041): Pick method list 'default'

The logs on the NPS servers are pretty difficult to read, but I'm pretty sure they show success when I log on from the working switch, success when I test from the 4507, and no connection at all when I attempt to log on to the 4507.

(Mostly) Complete config:

version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service compress-config
!
hostname REDACTED
!
boot-start-marker
boot system flash bootflash:cat4500es8-universalk9.SPA.03.08.02.E.152-4.E2.bin
boot-end-marker
!
!
vrf definition mgmtVrf
 !
 address-family ipv4
 exit-address-family
 !
 address-family ipv6
 exit-address-family
!
enable secret 5 REDACTED
!
username REDACTED privilege 15 secret 5 REDACTED
aaa new-model
!
!
aaa group server radius RADIUSGROUP
 server name RADIUSSERVER
 ip vrf forwarding mgmtVrf
 ip radius source-interface FastEthernet1
!
aaa authentication login default local group radius
aaa authorization exec default local group radius 
aaa accounting delay-start
aaa accounting exec default start-stop group radius
!
!
aaa session-id common
clock timezone UTC -5 0
clock summer-time EDT recurring
!
!
udld enable
!
!
ip domain-name domain.com
ip name-server REDACTED
ip name-server REDACTED
!
!
power redundancy-mode redundant
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
spanning-tree uplinkfast
spanning-tree backbonefast
!
redundancy
 mode sso
!
vlan internal allocation policy ascending
!
! ******* Port-channel interfaces redacted
!
interface FastEthernet1
 vrf forwarding mgmtVrf
 ip address x.x.x.x 255.255.255.0
 speed auto
 duplex auto
!
! ******** Line card interfaces redacted
!
interface Vlan1
 no ip address
 shutdown
!
interface Vlan10
 description REDACTED
 ip address REDACTED
 ip helper-address REDACTED 
 no ip redirects
!
interface Vlan11
 description REDACTED
 ip address REDACTED
 ip helper-address REDACTED
 no ip redirects
!
interface Vlan20
 description REDACTED
 ip address REDACTED
 ip helper-address REDACTED
 no ip redirects
!
interface Vlan23
 description REDACTED
 ip address REDACTED
 ip helper-address REDACTED
 no ip redirects
!
interface Vlan24
 description REDACTED
 ip address REDACTED
 ip helper-address REDACTED
 no ip redirects
!
interface Vlan28
 description REDACTED
 ip address REDACTED
 ip helper-address REDACTED
 no ip redirects
!
interface Vlan29
 description REDACTED
 ip address REDACTED
 ip helper-address REDACTED
 no ip redirects
!
interface Vlan30
 description REDACTED
 ip address REDACTED
 ip helper-address REDACTED
 no ip redirects
!
interface Vlan40
 description REDACTED
 ip address REDACTED
 ip helper-address REDACTED
 no ip redirects
!
interface Vlan60
 description REDACTED
 ip address REDACTED
 ip helper-address REDACTED
 no ip redirects
!
interface Vlan100
 description REDACTED
 ip address REDACTED
 ip helper-address REDACTED
 no ip redirects
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 REDACTED
ip route vrf mgmtVrf 0.0.0.0 0.0.0.0 REDACTED
ip ssh version 2
!
ip access-list extended snmp-access
 permit ip host REDACTED any
!
ip radius source-interface FastEthernet1 
!
snmp-server community public RO
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps tty
snmp-server enable traps cpu threshold
snmp-server enable traps fru-ctrl
snmp-server enable traps entity
snmp-server enable traps flash insertion removal
snmp-server enable traps vlancreate
snmp-server enable traps vlandelete
snmp-server enable traps envmon fan shutdown supply temperature status
snmp-server enable traps port-security
snmp-server enable traps config
snmp-server enable traps syslog
snmp-server enable traps vlan-membership
!
!
radius server RADIUSSERVER
 address ipv4 REDACTED auth-port 1645 acct-port 1646
 key 7 REDACTED
!
!
!
!
line con 0
 logging synchronous
 stopbits 1
line vty 0 4
 exec-timeout 15 0
line vty 5 15
!
ntp server REDACTED
ntp server REDACTED
!
end