Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

Client VPN - Fortigate RADIUS Authentication - Query regarding 3rd party implementation.

Hopefully someone can help here as I'm not making much progress talking directly with the 3rd party.


We have a Client VPN provided by a managed Fortigate through our ISP. This is currently configured to use RADIUS Authentication (NPS Server using AD Group to check allowed users) and has been working fine since day one.


We have asked for a secondary RADIUS Server entry to be added for redundancy and this is currently only used for authentication by a small number of test users.


The problem is that when using the second RADIUS Server the Fortigate receives a Reject message and then fails over to the first RADIUS Server which authenticates correctly. Now I have gone through the RADIUS Server (NPS) config with a fine tooth comb and both are set up exactly the same.


Checking the logs on the new RADIUS Server the reason given is because the users credentials are not stored with reversible encryption and this is why it fails (enabling this on the test user allows the user to authenticate correctly but obvious not something I want to do for all users in AD!). This confuses me because the original RADIUS Server works correctly without this needing to be in place.


I assume there may be some sort of setting on the Fortigate that is requesting a different authentication protocol that requires the passwords to be stored in reversible encryption in AD but the ISP are saying everything is the same for both RADIUS Server entries on the Fortigate so I'm a bit stuck.


Any ideas on what might be causing this discrepancy between the two RADIUS entries and how I might "guide" the 3rd party to fix the issue which appears to be there end but I can't prove it?

Esteemed Contributor III

Obviously something is not the same on both radius servers,.


Did you start by seeing if the cfg are exactly the same in fortios for the radius server and specially with auto chap or pap for auth-type?



config user radius



FGT01HOUSTX (test) # set auth-type 

auto          Use PAP, MSCHAP_v2, and CHAP (in that order).

ms_chap_v2    Microsoft Challenge Handshake Authentication Protocol version 2.

ms_chap       Microsoft Challenge Handshake Authentication Protocol.

chap          Challenge Handshake Authentication Protocol.

pap           Password Authentication Protocol.


The default is "auto" but you can set the type to chap as required. I would also looki over the NPS policy on reversible encryption and see if it's enabled or disabled.


And lastly, you can grab a packet capture and run the radiusdump or sniff to extract what is "actually being sent" to radius for diagnostics. Radius and tacacas are not 100% secured any body with knowledge of the secret can see your login details if PAP is used.


Also read up on this within ms kb at


Ken Felix




PCNSE NSE StrongSwan

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Top Kudoed Authors