FMG username in radius attribute

Hello, Would you mind elaborating a bit more on what exactly you're trying to accomplish? What do you need the username for and how are you planning on using it? Is there any scripting involved? Regards

Hi, let's imagine ...  Network diagram:

- Admin person [Alice] --> FMG -> client side {RADIUS} server side -> FAC

FMG:

- uses wilcard admin config, pointing to user group on FMG

- that user group points to RADIUS server config on FMG

- that RADIUS server config on FMG points to FAC as actual AAA RADIUS server

And so as FMG is the RADIUS client, then it sends out Access-Request to FAC.

And as you would see in packet capture there is "User-Name" AVP, filled by FMG with login name used by actual administrator [Alice] who tried to login to FMG.

As the FMG uses Wildcard type of admin to point out to FAC (through designated user group), then it is most probably not sending that wildcard profile name (never seen that to be sent in the past, but haven't tested FMG in about past year).

Therefore FAC knows nothing about used wildcard profile, and the only known thing is the true login name used in logon attempt and sent as User-Name.

I'm not sure why would you need to know wildcard profile name (if I got you correctly).

Maybe to filter RADIUS Service / Policies based on received "RADIUS attribute criteria".

In that case have a look into packet capture. Not sure for FMG but FGT does send Connection-Info from which you can determine if the logon is made to admin GUI, or SSL VPN, or IPSec VPN, or it's CLI/GUI logon test ... 

There will be no wildcard profile name as we do not have that in our dictionary.

However to distinguish between admins there might be access profile usefull, or RADIUS group match set as well.