if you have the FortiGate authenticate to FortiAuthenticator via RADIUS, and RADIUS checks the credentials against LDAP, the FortiGate-FortiAuthenticator connection must use either PAP, or MSCHAPv2 if FortiAuthenticator is joined to the domain and Windows AD Authentication is toggled on.
By default, FortiGate will try CHAP, MSCHAPv2, then PAP, when authenticating against RADIUS. Try setting PAP in FortiGate:
That should at least fix the errors related to 'remote server supports pap only'.
If 2FA only fails on occasion, you could also be looking at a timeout issue on FortiGate. If the issue persists, perhaps increasing the "remoteauthtimeout" value will help: #config global #config system global
#set remoteauthtimeout 60 <-- in seconds; this is how long FortiGate will wait for authentication to complete before declaring a timeout
+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++