At one of my customers I've setup FortiGate SSL VPN with MFA. For MFA we use Azure MFA together with Windows NPS: https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension
It's a FortiGate 600E cluster, running on FortiOS 6.4.6. The NPS is a Windows Server 2019.
The setup is working fine with when we use PAP authentication between the FortiGate and the NPS, but because this method is not secure, we want to use MS-CHAPv2 for authentication.
On the FortiGate we have specified MS-CHAP-v2 as authentication method in the RADIUS server settings. MS-CHAPv2 is also enabled on the Connection Request Policy and the Network Policy on our Windows NPS. Unfortunately, authentication is not working.
When we try to connect the SSL VPN, the FortiClient gives the following errror: credential or ssl vpn configuration is wrong (-7200). The RADIUS requests are arriving at our NPS but the NPS event logs don't give me any usefull information.
I already tried switchting between MS-CHAPv2, MS-CHAP and CHAP, but none of them are working. Authentication is only working with PAP.
Is someone familiar with this kind of setup?