Obviously something is not the same on both radius servers,.
Did you start by seeing if the cfg are exactly the same in fortios for the radius server and specially with auto chap or pap for auth-type?
config user radius
FGT01HOUSTX (test) # set auth-type auto Use PAP, MSCHAP_v2, and CHAP (in that order).ms_chap_v2 Microsoft Challenge Handshake Authentication Protocol version 2.ms_chap Microsoft Challenge Handshake Authentication Protocol.chap Challenge Handshake Authentication Protocol.pap Password Authentication Protocol.
The default is "auto" but you can set the type to chap as required. I would also looki over the NPS policy on reversible encryption and see if it's enabled or disabled.
And lastly, you can grab a packet capture and run the radiusdump or sniff to extract what is "actually being sent" to radius for diagnostics. Radius and tacacas are not 100% secured any body with knowledge of the secret can see your login details if PAP is used.
Also read up on this within ms kb at https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/store-p...
Ken Felix
PCNSE
NSE
StrongSwan
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1736 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.