If you're using MSCHAPv2 on FortiGate, you need to ensure FortiAuthenticator is joined to the domain, so it can send the hashed password to AD to cross-check; if FortiAuthenticator is not joined to the domain it can only authenticate local users via MSCHAPv2, remote users via PAP.
I would suggest the following:
- test VPN with a local user on FortiAuthenticator
-> that might require changing the RADIUS policy to use the local realm, not a remote realm
do you see that error 'unable to find matching authpolicy' after each VPN connection attempt?
From the way you took the screenshot, I can see that error, and underneath a new authentication attempt, but I don't know what the error belongs to, and what error the new authentication attempt might result in.
If you get that 'unable to find matching authpolicy' error throughout, that means there is no suitable RADIUS policy for that client and the authentication (EAP-TLS? MAB?) it wants to attempt.
+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
if you switch to EAP-TLS on FortiAuthenticator (or create a new RADIUS policy with EAP-TLS instead), FortiAuthenticator should then try to confirm the client certificate; this setup is a bit more complex on FortiAuthenticator.
For 802.1x authentication you would have to import remote users (from AD for example) and define certificate bindings:
-> define what certificate subject is expected (the user's CN, or DN, or sAMAccountName, or mail, or whatever)
-> define what CA should have signed the user's certificate
--> you might have to import the CA as remote CA to FortiAuthenticator so that the Authenticator trusts it
After struggling with attempting to get this configured myself recently, I was able to finally get it working. Initially we were on FortiAuthenticator 6.4.4 which had an unlisted bug that was noted and resolved in FortiAuthenticator 6.4.6. The bug in question is 846732 with description '2FA support for FortiClient IKEv2 VPN is broken.'.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.