Skip to main content
kmak
Staff
kmak
Staff
February 12, 2026

Troubleshooting Tip: How to troubleshoot FortiWeb GUI admin login issue for a RADIUS admin account with group attribute

  • February 12, 2026
  • 0 replies
  • 153 views
Description This article describes the steps to troubleshoot FortiWeb GUI admin login issue for a RADIUS admin account with a group attribute.
Scope FortiWeb.
Solution

Prerequisite:

  • A FortiWeb admin account with remote RADIUS authentication.
  • A RADIUS account user with a group attribute.

 

Issue reproduction:

The users account created in the RADIUS server may be assigned with a group attribute, and it may cause issues with the FortiWeb RADIUS account login if the group attribute was not configured correctly in the FortiWeb RADIUS admin group configuration. The issue can be reproduced with the following steps:

 

  1. Add the RADIUS account in FortiAuthenticator with the group assignment. The user group is added to the Fortinet’s group attribute.

 

kmak_0-1770875888247.jpeg

 

  1. The RADIUS account user is assigned to multiple groups. Each of the groups is added with the group attribute. The RADIUS user 'fwb-admin01' is assigned to two groups and has two group attributes: 'Web_Security' and 'Firewall Admin'.

 

kmak_1-1770875888251.jpeg

 

  1. Given that the remote Radius authentication server has been configured in the FortiWeb, create the Admin Group and assign the admin RADIUS account to the Admin Group. In the example, only one group name will be added to the Admin User Group.

 

kmak_2-1770875888254.jpeg

 

  1. Log into the FortiWeb SSH/CLI shell and run the GUI admin login debug commands.

 

diagnose debug admin-https access-log enable

diagnose debug enable

 

  1. Test the RADIUS account admin login in the FortiWeb GUI admin access. Insert the auth token if the 2FA token is enabled for the RADIUS account user.

 

kmak_3-1770875888255.jpeg
kmak_4-1770875888256.jpeg

 

  1. The GUI admin login will fail with the account login redirected back to the GUI login page. Notice that the URL contains the parameter 'err_token=1'.

 

kmak_5-1770875888257.jpeg

 

  1. The debug output shows the account login returned the error 'Auth for token return is -1'. A successful login should return the message of the RADIUS group match.

 

kmak_6-1770875888258.jpeg

 

Resolution:

  1. The RADIUS admin group in the FortiWeb must be added with all of the group name attributes that are assigned in the RADIUS server. In the FortiWeb, navigate to the admin group page and edit the specific admin group. Insert all the group names into the group.

 

kmak_7-1770875888260.jpeg

 

  1. Group name attributes are separated with a comma ',' as the delimiter.

 

kmak_8-1770875888262.jpeg

 

  1. Test the RADIUS account user login again in the FortiWeb GUI login page.

 

kmak_9-1770875888263.jpeg
kmak_10-1770875888264.jpeg

 

  1. The login should be successful and directed into the FortiWeb dashboard.

 

kmak_11-1770875888266.jpeg

 

  1. The debug output shows the message 'Auth for token return is 0' and there will be group matched of the account group attribute.

 

kmak_12-1770875888267.jpeg

 

Related documents:
Terms & ConditionsAccessibility statement