Whether Radius COA will working on an IAP VPN solution when the inner IP is source nated on controller ?
If the inner IP is not routable on IAP VPN solution then for dot1x authentication to work we need have the source nat rule configured on default-vpn-role on controller(IAP will be coming up in user-table with role default-vpn-role).
By doing this controller will source nat the radius request and send it to the radius server where controller IP will be acting as the Radius client.
However, Radius COA initiated by server has to be reached directly to Radius clients as per RFC 3576 and source nat will not work. Hence we need to make sure the IAP VPN inner IP is routable so that the inner IP will be acting as Radius client and COA will work.