Technical Tip: How to configure group matching using RADIUS 'Class' Attribute on Windows NPS

Steps on NPS Server:

Define the 'Class' Attribute on the Network Policies in the Windows NPS Server.

Reference picture:

Steps on FortiGate firewall:

Step 1: Enable class attribute override under Radius configuration using CLI.

config user radius

    edit "radius-windows-2019"

        set server "192.168.1.200"
        set secret ENC WY0cw6l7yzf1numn1WIEv6H4aaMXmySak+NfqVrxD0qTx1WijuQZJ
        set group-override-attr-type class <-------

    next

end

Note: It is important to enable override; the class attribute is ignored, and FortiGate will not show Group Membership(s) in Step 2.

Step 2: Using FortiGate CLI, confirm if FortiGate is receiving Group Membership(s) from the NPS server.

lab # diagnose test authserver radius radius-windows-2019 pap user1 password

authenticate 'user1' against 'pap' succeeded, server=primary assigned_rad_session_id=17158578049066 session_timeout=0 secs idle_timeout=0 secs!
Group membership(s) - group-1

Step 3: As confirmed in Step 2, FortiGate is receiving the 'group-1' Group Membership(s), the next step is to define the user-group for reference in SSL VPN (in this example).

To configure the group from the GUI:

To configure the group from CLI:

config user group

    edit "usergroup1"

        set member "radius-windows-2019"

            config match

                edit 1

                    set server-name "radius-windows-2019"
                    set group-name "group-1" <-----------

                next

            end

    next

end

Step 4: For testing, configure SSL VPN and use this 'usergroup1' in the SSL VPN Authentication Portal and the firewall Policy.

Refer to this link to configure SSL VPN using the Radius group: SSL VPN with RADIUS on Windows NPS.

Interesting fnbamd debug for class attribute verification:

lab # diagnose debug application fnbamd -1

lab # diagnose debug enable
.
truncated
.

[431] __rad_udp_recv-Recved 99 bytes. Buf sz 8192
[1216] fnbamd_rad_validate_pkt-RADIUS resp code 2
[912] __rad_rxtx-
[1286] fnbamd_rad_process-Result from radius svr 'radius-windows-2019' is 0, req 17652505976835
[487] fnbamd_rad_get_vsas-Override group attr, type 25, val group-1 <------- Received group membership from RADIUS Server.
[1485] fnbamd_rad_process-Challenged: 0, FTK_Challenge: 0, CHG_PWD: 0, Invaid_Digest: 0, State_Len: 0
[627] fnbam_user_auth_group_match-req id: 17652505976835, server: radius-windows-2019, local auth: 0, dn match: 0
[581] __group_match-Check if radius-windows-2019 is a group member
[587] __group_match-Group 'usergroup1' passed group matching
[590] __group_match-Add matched group 'usergroup1'(2) <------- Group matching completed.
[206] find_matched_usr_grps-Passed group matching
[909] update_auth_token_session-config does not require 2fa
[239] fnbamd_comm_send_result-Sending result 0 (nid 0) for req 17652505976835, len=2663
.
truncated
.

Once connected successfully to the SSL VPN, confirm the authentication details using the CLI:

lab # diagnose firewall auth list

10.212.134.200, user1 <------ user-name.
type: fw, id: 0, duration: 36, idled: 9
expire: 28790, allow-idle: 28799
flag(80): sslvpn
server: radius-windows-2019 <------ RADIUS server.
packets: in 625 out 355, bytes: in 723124 out 30737
group_id: 2
group_name: usergroup1 <------ user-group name.

----- 1 listed, 0 filtered ------

Alternatively, Vendor Specific Attribute(s) can be used for Group Matching: Restricting RADIUS user groups to match selective users on the RADIUS server.

Related articles:

Technical Tip: Authentication, Remote server group match of user group configuration with RADIUS server user

Troubleshooting Tip: How to test FortiGate's radius user authentication to the RADIUS server