When using RADIUS External Authentication with TPAM, the RADIUS Access-Request packet is sent with the NAS-IP-Attribute set to 127.0.0.1. Depending on the RADIUS server configuration this may cause failure to authenticate. Typically this attribute would be the IP of the RADIUS client and not 127.0.0.1.
This does not impact RADIUS authentication with Defender as an example.
If possible, configure the RADIUS server in a way that this does not affect authentication. For example, ignore this attribute.
Issue fixed in version 2.5.920. The latest version of the product can be downloaded here