Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

Issue L2TP over IPSEC with Radius and NPS

Hi all!


Currently I am configuring a L2TP over IPSEC through Radius with a NPS server.

I've configured the L2TP on the Fortigate with the wizard, this is quite simple.

For testing I created 2 L2TP configuration because of the different networks available to connect with as a user.

This is a L2TP configuration for a native Windows client.



-Remote Access - Windows Native

-Incoming interface - WAN

-Preshared key: ****

-User Group - the VPN Radius Group that should match

-Local interface - the interface that matches the destination group

-Local address - the address object that matches the destination group

-Client address range - a fictive range I made up


When connecting from a Windows client, it stops with error code: 691 (remote connection denied username..)

But checking the NPS logs, it shows MS-CHAPv2 was successful.

The logs matches the exact group that belongs to the user and I see traffic on the policies. So this should be good to go.


But showing the debug from the Fortigate, it shows " MSCHAP-v2 peer authentication failed for remote host".

So the NPS-Server says "successful" but the Fortigate says failed.


Does anyone recognise this issue?


Best regards,



It seems that the problem is caused by the use of MSCHAPv2. You can verify if FGT is able to successfully authenticate the user by running these commands:
> diagnose test authserver radius <srv name> pap <user> <pass>
> diagnose test authserver radius <srv name> mschap2 <user> <pass>

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.

Tim and I are working on this issue together. These are the results:


authenticate 'xxx' against 'pap' failed, assigned_rad_session_id=44745116631041 session_timeout=0 secs idle_timeout=0 secs!


authenticate 'xxx' against 'mschap2' succeeded, server=primary assigned_rad_session_id=44745116631042 session_timeout=0 secs idle_timeout=0 secs!


Do a packet capture of the RADIUS communication as well, so that you know what the server is returning. You can combine that with debug for the FortiGate's side:


CLI 1:

diag sniffer packet any "host <NPS IP> and port 1812" 6 0 a

CTRL+C to stop when done


CLI 2 (separate SSH session or GUI console screen):

diag debug app fnbamd 127

dia de console timestamp enable

dia de en

=> test now with an L2TP connection attempt

dia de dis


[ corrections always welcome ]

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Top Kudoed Authors