An issue exists between the Ubiquiti Networks Unifi software controller v5.10.19 and a Microsoft Radius or Network Policy Server (NPS) when NTLMv2 responses are forced on all Domain Controllers. When this condition exists, radius calls from the Unifi controller fail with error event that indicates the password is invalid. The security logs on the radius server report the following failure:

Failure Information:
     Failure Reason:     Unknown user name or bad password.
     Status:             0xC000006D
     Sub Status:         0xC000006A     (Account logon with misspelled or bad password)

The issue is limited only to VPN connections. WiFi connections using the same Radius connection profile and user account succeed.

Applying the registry key in Microsoft KB 2811487 to the Radius server resolves the issue.

Set DWORD:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RemoteAccess\Policy\Enable NTLMv2 Compatibility = 1