| Solution | When a user roams to a different AP using WPA2-Enterprise with RADIUS authentication, most of the groups assigned to the user are not retained. Only one group remains, which may lead to incorrect access control depending on the firewall policy configuration.
For an example configuration impacted by this issue, refer to: Configuring WiFi with WSSO
Example diagnostic output after initial connection:
diagnose firewall auth list
10.0.0.10, nkor1
type: wsso, id: 0, duration: 69, idled: 0
expire: 300, allow-idle: 300
flag(110): radius wsso
server: ftntlab
packets: in 155 out 211, bytes: in 57235 out 14299
group_id: 2 3 6 7
group_name: Group1 Group2 Group3 Group4
10.0.0.10, nkor1
type: other, id: 0, duration: 69, idled: 69
flag(10): radius
server: ftntlab
packets: in 0 out 0, bytes: in 0 out 0
----- 2 listed, 0 filtered ------
After the client roams and connects to another AP, the firewall user list shows only one group:
diagnose firewall auth list
10.0.0.10, nkor1
type: wsso, id: 0, duration: 6, idled: 6
expire: 294, allow-idle: 300
flag(110): radius wsso
server: ftntlab
packets: in 0 out 36, bytes: in 0 out 2305
group_id: 2
group_name: Group1
10.0.0.10, nkor1
type: other, id: 0, duration: 6, idled: 6
flag(10): radius
server: ftntlab
packets: in 0 out 0, bytes: in 0 out 0 Workaround:
Configure policies on a remote RADIUS server to return only the most relevant group, depending on the user and access method. Resolution: This issue has been resolved in: These timelines for firmware release are estimated and may be subject to change.
Related document: FortiAP Configuration Guide | WiFi Single Sign On |
