DescriptionThis article addresses Windows clients failing RADIUS authentication with FortiConnect with the error: mschap2 response is not correct.
ScopeFortiConnect v16.7
SolutionThis may occur because the Active Directory used on FortiConnect uses NTLMv2 as it is more secure than NTLMv1. FortiConnect uses Free Radius that supports only NTLMv1 and not NTLMv2.
This issue can be resolved only if NTLMv1 is enabled on Active Directory. However, many users will prefer not to use this option as NTLMv1 is more vulnerable to security attacks.
In this case, one of the following options can be used:
1.) Use EAP-TLS authentication instead of EAP-PEAP MSCHAPV2.
2.) MCT should use RADIUS authentication policy instead of AD authentication policy. However, in this case it will not be possible to use MCT features.