Client VPN - Fortigate RADIUS Authentication - Query regarding 3rd party implementation.

Hopefully someone can help here as I'm not making much progress talking directly with the 3rd party.

 

We have a Client VPN provided by a managed Fortigate through our ISP. This is currently configured to use RADIUS Authentication (NPS Server using AD Group to check allowed users) and has been working fine since day one.

 

We have asked for a secondary RADIUS Server entry to be added for redundancy and this is currently only used for authentication by a small number of test users.

 

The problem is that when using the second RADIUS Server the Fortigate receives a Reject message and then fails over to the first RADIUS Server which authenticates correctly. Now I have gone through the RADIUS Server (NPS) config with a fine tooth comb and both are set up exactly the same.

 

Checking the logs on the new RADIUS Server the reason given is because the users credentials are not stored with reversible encryption and this is why it fails (enabling this on the test user allows the user to authenticate correctly but obvious not something I want to do for all users in AD!). This confuses me because the original RADIUS Server works correctly without this needing to be in place.

 

I assume there may be some sort of setting on the Fortigate that is requesting a different authentication protocol that requires the passwords to be stored in reversible encryption in AD but the ISP are saying everything is the same for both RADIUS Server entries on the Fortigate so I'm a bit stuck.

 

Any ideas on what might be causing this discrepancy between the two RADIUS entries and how I might "guide" the 3rd party to fix the issue which appears to be there end but I can't prove it?