SSL VPN tunnel mode is enabled in the firewall and the radius users are imported to the FortiGate.

It is necessary to make sure the actual RADIUS user name and the user imported in the FortiGate are the same. If not, a ' credential or ssl vpn configuration is wrong (-7200)' error will be received.

See the output below:

config user local
    edit "test"   <----- Name of the user in firewall.
        set status enable
        set type radius

Since the username in the firewall and radius is the same authentication is successful and two factors worked.

Post entering the Token. It worked.

By mistake, if the radius user is saved with a different user name then VPN will not work.

config user local
    edit "Test"  <----- The name from test to Test has been changed.
        set status enable
        set type radius

Trying to connect the VPN but it is not working.

It is because of the case sensitive, and post making the below mentioned changes the VPN is connected.

Note:

This option is only available when two-factor authentication is enabled for the user.

config user local
    edit "Test"
        set status enable
        set type radius
        set username-case-sensitivity <----- To disable it, use 'set username-case-sensitivity disable'.
end

Note:

As of FortiOS 7.0.1 and above, the syntax of the command has been changed to 'username-sensitivity'.

In order to see what is going wrong with the SSL VPN, take the following debug:

   diagnose debug reset

   diagnose vpn ssl debug-filter src-addr4 x.x.x.x

   diagnose debug application sslvpn -1

   diagnose debug application fnbamd -1

   diagnose debug enable

To clear the filter, enter the following commands:

   diagnose vpn ssl debug-filter clear

To stop the debug, enter the following commands:

   diagnose debug disable

   diagnose debug reset