Example:

FortiGate uses authentication protocol Ms-Chap-v2 to connect with the Radius server and EAP is enabled on the NPS server:

On the FortiGate CLI:

diag debug app fnbamd -1

diag debug en 

[587] __fnbamd_cfg_get_radius_list_by_group-Loading RADIUS server 'DC-RADIUS' for usergroup 'WiFi' (4)
[342] fnbamd_create_radius_socket-Opened radius socket 12
[342] fnbamd_create_radius_socket-Opened radius socket 13
[1394] fnbamd_radius_auth_send-Compose RADIUS request
[1351] fnbamd_rad_dns_cb-10.10.10.1->10.10.10.1
[1323] __fnbamd_rad_send-Sent radius req to server 'DC-RADIUS': fd=12, IP=10.10.10.1(10.10.10.1:1812) code=1 id=57 len=145 user="smi_domain\noah_quercia" using PAP
[319] radius_server_auth-Timer of rad 'DC-RADIUS' is added
[754] auth_tac_plus_start-Didn't find tac_plus servers (0)
[1034] __fnbamd_cfg_get_ldap_list_by_group-
[1150] fnbamd_cfg_get_ldap_list-Total ldap servers to try: 0
[491] ldap_start-Didn't find ldap servers
[633] create_auth_session-Total 1 server(s) to try
[1360] fnbamd_auth_handle_radius_result-Timer of rad 'DC-RADIUS' is deleted
[1802] fnbamd_radius_auth_validate_pkt-RADIUS resp code 3
[1385] fnbamd_auth_handle_radius_result-->Result for radius svr 'DC-RADIUS' 10.10.10.1(1) is 1
[216] fnbamd_comm_send_result-Sending result 1 (nid 0) for req 439369947, len=3172
[789] destroy_auth_session-delete session 439369947

In the above debugs, FortiGate still uses PAP for the Local Group even when  MS-Chap-v2 is configured on the Radius server settings. Due to this, these users are unable to authenticate.

FortiGate does not force the authentication protocol for SSID authentication. PEAP authentication needs to be enabled on the end devices. If the end user is a Windows PC, it is necessary to enable EAP-MSCHAP-v2 in the wireless network security of the PC.

Related article:

Configuring WiFi with WSSO using Windows NPS and user groups