Troubleshooting Tip: How to resolve the error 'RADIUS protocol error parse error RSSO key'
| Description | This article describes a RADIUS protocol error that occurs when the list of group memberships is longer than 360 bytes, causing the FortiGate to generate a parse error. The FortiGate admin may observe a large volume of logs with the error: 'RADIUS Protocol Error Parse Error RSSO Key' and firewall policy with users' authentication not matched. |
| Scope | FortiGate, FortiAuthenticator. |
| Solution | To find the reason for the error, collect the output of the following debug commands: diagnose debug app radiusd -1
If the output contains these rows:
2026-03-23 12:46:57 The group name space is full, this packet will be ignored.
The error has occurred because FortiOS accepts a list of groups that has a maximum of 360 bytes, as indicated in SSO using RADIUS accounting records. This error occurs regardless of the FortiOS version.
All FortiGates configured with the FSSO pointing to the FortiAuthenticator will perform 'transparent authentication', reading the FortiAuthenticator FSSO cache.
In this way, there will be no more necessary resource use from each FortiGate tracking each RADIUS authentication, because only the FortiAuthenticator will do it.
This architecture will save computational and memory resources of FortiGates, avoiding stress conditions in cases with huge quantities of RADIUS accounting packets to process.
The following article details all solutions available for using RSSO with FortiGates: Solution Guide: Fortinet Solutions RSSO (RADIUS Single Sign On).
The way in which the FortiAuthenticator retrieves the information about user group membership depends on the 'SSO user type' chosen.
There are three main ways, as explained in RADIUS accounting:
Related articles: Technical Guide: Integrate a third-party access point with FortiAuthenticator/FortiGate using RSSO |