WPA2/Enterprise with Radius over IPSec VPN

I have an IPSec tunnel established on VLAN X.

AP is configued as Radius client and WPA2/Enterprise. Radius server is on remote side of tunnel.

When clients try to connect to AP, the radius traffic does not pass through the IPSec tunnel. THe SSID is configured for VLAN X, so we are trying to figure out how else we can get the AP to talk to the Radius server.

What is the AP you are using, and does the AP have some other default route configured that it may be using and failing to reach the RADIUS server via?