Please find attached an MS PowerPoint describing step by step how to easily setup RADIUS on your Windows 2012 R2 Domain Controller.
It also shows how to configure CA PAM to utilise this specific RADIUS implementation.
With RADIUS in place CA PAM can perform an encrypted authentication of the configured Active Directory user - unlike with LDAP where the user's password travels in clear text over the wire.
Note, If you already have an LDAP group imported in CA PAM reflecting the relevant Active Directory User Group (as it is described in the initial LDAP section of the ppt) you need to first delete the group in CA PAM prior reimporting the same AD Group into CA PAM - now with RADIUS authentication method specified.
I hope you find this helpful.