1. To run the packet sniffer and debug in FortiGate while reproducing the issue:

SSH1:

diagnose sniffer packet any "host [radius_IP] and port (1812 or 1813)" 6 0 l

SSH2:

diagnose debug reset

diagnose debug console timestamp enable

diagnose debug application ike -1

diagnose debug application fnbamd -1

diagnose debug application eap_proxy -1

diagnose vpn ike log filter rem-addr4 [wan_IP_of_client]

diagnose debug enable

2. The debug output showed that the Access-Reject message was sent by the Cisco (RADIUS server).

"...

2025-10-16 12:03:15 [595] __create_access_request-Created RADIUS Access-Request. Len: 255.
2025-10-16 12:03:15 [1168] __rad_rxtx-Sent radius req to server 'xxxx': fd=11, IP=[radius_IP]([radius_IP]:1812) code=1 id=143 len=255
2025-10-16 12:03:15 [1177] __rad_rxtx-Start rad conn timer.
2025-10-16 12:03:15 [1137] __rad_rxtx-fd 11, state 2(Challenged)
2025-10-16 12:03:15 [1139] __rad_rxtx-Stop rad conn timer.
2025-10-16 12:03:15 [1180] __rad_rxtx-
2025-10-16 12:03:15 [681] __rad_udp_recv-Recved 44 bytes. Buf sz 8192
2025-10-16 12:03:15 [1159] __rad_chk_resp_authenticator-ret=0
2025-10-16 12:03:15 [1234] fnbamd_rad_validate_pkt-RADIUS resp code 3
..."

The packet sniffer output showed that FortiGate is suggesting using EAP-MSCHAPv2 (type 26), which is not supported by Cisco ISE - this is why Cisco sent the Access-Reject message: 

3. In this scenario, FortiGate simply forwards the information to RADIUS; it acts as a RADIUS proxy. In this case, FortiClient will decide the authentication model, and PEAP-MSCHAPv2 is not supported. 

The solution is to use IKE version 1 in VPN settings.