Skip to main content
slovepreet
Staff
slovepreet
Staff
January 12, 2026

Technical Tip: Distinguishing user groups for IPsec VPN authentication when using FortiGate and FortiAuthenticator

  • January 12, 2026
  • 0 replies
  • 942 views
Description This article describes how to distinguish user groups during IPsec VPN authentication when FortiGate is integrated with FortiAuthenticator and users are migrating from SSL VPN to IPsec VPN.
Authentication failures can occur when the group match logic is not configured correctly on FortiOS or the RADIUS attributes are not configured correctly on FortiAuthenticator.
Scope FortiGate, FortiAuthenticator, IPsec VPN, SSL VPN.
Solution

When FortiGate authenticates users for an IPsec tunnel using FortiAuthenticator, group matching relies on both the RADIUS attributes returned by FortiAuthenticator and user group match values configured in FortiOS.

 

Group matching does not depend on the group names configured on FortiGate or FortiAuthenticator. On FortiAuthenticator, the backend user or groups must be configured to return the Fortinet-Group-Name Vendor-Specific Attribute for group name matching. If the attribute is missing or incorrectly set, FortiGate will not match the intended group even if the internal group names are the same on FortiGate and FortiAuthenticator.

 

For example, FortiGate may be configured with two user groups, 'SSLVPNusers' (intended for SSL VPN authentication) and 'IPsecVPNUsers' (intended for IPsec VPN authentication), as shown in the picture below.

 

FortiGate User Groups GUI:

 

FortiGate side configuration.png

 

config user group

    edit "IPsecVPNUsers" <-- Not compared for group matching.

        set member "FortiAuthenticator RADIUS"

            config match

                edit 1

                    set server-name "FortiAuthenticator RADIUS"

                    set group-name "IPsecVPNUsers" <-- Compared for group matching.

                next

            end

    next

    edit "SSLVPNUSERS"

        set member "FortiAuthenticator RADIUS"

            config match

                edit 1

                    set server-name "FortiAuthenticator RADIUS"

                    set group-name "SSLVPNUSERS"

                next

            end

    next

end

 

Notes:

  • Only the group-name parameter is checked against the RADIUS Fortinet-Group-Name Attribute.
  • There is no parameter in the 'SSLVPNusers' or 'IPsecVPNusers' FortiOS group configuration that restricts them to particular VPN protocols. Instead, possible matches are restricted based on which groups are referenced in the VPN and firewall policy configuration.

 

On the FortiAuthenticator, the same group names were reused as shown below. 

 

Fortiauthenticator configuration.png

 

But, only the 'SSLVPNUSERS' group on the FortiAuthenticator is correctly configured to include a value for Fortinet-Group-Name as shown below. The 'IPsecVPNuser' group's Fortinet-Group-Name was incorrectly left blank.

 

SSL VPN users.png

 

This would lead to an issue with failing to match the 'IPsecVPNUsers' group when attempting to connect to the VPN. 

 

The issue can be confirmed on FortiGate by enabling authentication debugging.

Run the following commands on FortiGate.

 

diagnose debug reset
diagnose debug application fnbamd -1
diagnose debug enable

 

During a failed authentication attempt, the debug output will display a 'Failed group matching' error.

 

Failed group matching.png

 

To resolve the issue, configure RADIUS attributes on FortiAuthenticator for each user group.

 

Group attributes on FortiAuthenticator:

 

IPsec Group.png

 

SSL VPN users.png

 

The 'Fortinet-Group-Name' value must exactly match a value configured in FortiGate 'config user group > config match'. After the correct RADIUS attributes are returned, FortiGate will correctly match the intended user group(s) during authentication. This ensures successful group matching and allows IPsec VPN connections to establish as expected.

 

A remote user may be a member of multiple groups. See this article: Technical Tip: How to use multiple groups with EAP for IKEv2 (SAML/RADIUS/local). In this case, all matching groups will be added to the user's group information.

 

Note: If RADIUS attributes such as 'Fortinet-Group-Name' are configured in a group on FortiAuthenticator, and these attributes must be returned to FortiGate, ensure the 'Return User Group Attributes' is configured on the relevant RADIUS service policy on FortiAuthenticator. See this document: Policies.

 

Note 2: The above article is true for RADIUS-based authentication between the FortiGate and FortiAuthenticator, but for SAML-based authentication (FortiAuthenticator as a SAML IdP, FortiGate as SAML SP), the FortiAuthenticator will return the actual name of the user group as it is retrieved from the upstream authentication source, rather than returning an admin-configurable string like with RADIUS. Take care to set the group-matching appropriately on the FortiGate so that it matches the real name as set by the authentication source.

 

Related documents:

Technical Tip: IKEv2 dialup IPsec tunnel with RADIUS server authentication and FortiClient

EAP-TTLS support for IPsec VPN

Technical Tip: IKEv2 dialup gateway with RADIUS user groups does not support other authentication servers

Restricting RADIUS user groups to match selective users on the RADIUS server

Technical Tip: How to configure Group Matching using Radius 'Class' Attribute on Windows NPS

Technical Tip: Fortinet's RADIUS Dictionary and VSAs (latest)

User Groups
    Terms & ConditionsAccessibility statement