The configuration of a RADIUS client is made on the FortiGate to send the user authentication to the Cisco DUO RADIUS proxy first both of them establish communication with each other.

After a sniffer capture (E.g. diagnose packet capture "host X.X.X.X" 6 0 l) when a communication test of authentication at RADIUS level from the FortiGate the next is shown:

0040 43 61 6e 6e 6f 74 2e 64    65 63 6f 64 65 2e 70 61     Cannot.d    ecode.pa
0050 73 73 77 6f 72 64                                                           ssword

If the configuration is created on the RADIUS template on the FortiGate at IP/name and Secret, the error shown on the 'connection status' is 'Invalid Password' and on the Cisco DUO RADIUS the error is 'Cannot decode the password' could be for two reasons:

1. The password (Secret) is wrong on one of the sides (FortiGate/Cisco DUO RADIUS). If this is the case, change them to both be the same.
2. The password (Secret) is using another encoded character out of UTF-8. If the encoded character is going to be one in specific, is necessary to see and follow the next article from DUO help: https://help.duo.com/s/article/1168?language=en_US

If any change is made at Cisco DUO RADIUS, the proxy is needed to restart the process because could not reflect the change at the moment.