RSSO authentication on FortiGate is always case sensitive, and the behavior cannot be changed on FortiGate.

Below is an example with detailed information using the debugging output:

Configure an RSSO:

config user radius

    edit "rsso"

        set rsso enable
        set rsso-radius-response enable
        set rsso-validate-request-secret enable
        set rsso-secret ENC 2wDJVr/ylfTJtXn/0tEWrUGQmJKlrHLM90+X2wAKesvPiRF0WD6C25Qkcyo8erVKz8qtSnfY03vDuOPfxhEGBL6f14

WLhOcDRcX+BrgAlqdofN2+MAiX9va+i0+uz5Y6anXIixyUdaErkB7XDhNe3rHUPF4JstEAZY6MlN5

IDojQlzTNa8d0mPFDEhcaRVNo0/R2JQ==
        set rsso-endpoint-attribute User-Name

    next

end

Configure a different RSSO group with different RSSO attribute values 'aaaa' and 'AAAA':

config user group

    edit "rsso.group.1"

        set group-type rsso
        set sso-attribute-value "aaaa"

    next

    edit "rsso.group.2"

        set group-type rsso
        set sso-attribute-value "AAAA"

    next

end

Configure two different firewall policies for each RADIUS group created above:

config firewall policy

    edit 4

        set name "out-1"
        set uuid a4ad7b96-c739-51ee-fcff-e5c5ee8166da
        set srcintf "port9"
        set dstintf "wan1"
        set action accept
        set srcaddr "all"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"
        set nat enable
        set groups "rsso.group.1"

    next
    edit 9

        set name "test"
        set uuid 1f1b0210-ca76-51ee-2e57-d8ec569e8ecf
        set srcintf "port9"
        set dstintf "wan1"
        set action accept
        set srcaddr "all"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"
        set nat enable
        set groups "rsso.group.2"

    next

end

Enable radiusd debugging via the CLI to see the authentication result:

diagnose debug disable
diagnose debug reset
diagnose debug console timestamp enable
diagnose debug application radiusd -1
diagnose debug enable

Generate and send a radius start accounting message with class 'aaaa' to FortiGate.

In this example, the new first RADIUS accounting message with class 'aaaa' was received for source IP 10.129.3.148 for username shah@fortiserver.com:

2024-02-13 14:58:07 Received radius accounting event
2024-02-13 14:58:07 vd 0:root Add/Update auth logon for IP 10.129.3.148 for user shah@fortiserver.com
2024-02-13 14:58:07 DB 0 insert [ep='shah@fortiserver.com' pg='aaaa' ip='10.129.3.148/32'] success
2024-02-13 14:58:07 Send accounting response

Hub # diagnose test application radiusd 3
2024-02-13 14:58:38 RADIUS server database [vd root]:
2024-02-13 14:58:38 "index","time left","ip","endpoint","block status","log status","profile group","ref count","use default profile"
2024-02-13 14:58:38 1,07:59:29,"10.129.3.148""shah@fortiserver.com","allow","no log","aaaa",1,No
2024-02-13 14:58:38

The user matches both groups above since 'AAAA' is the same as 'aaaa' on FortiGate:

diagnose firewall auth list

10.129.3.148, shah@fortiserver.com
type: rsso, id: 0, duration: 13, idled: 3
flag(10): radius
server: root
packets: in 0 out 5, bytes: in 0 out 310
group_id: 3 2
group_name: rsso.group.2 rsso.group.1

----- 1 listed, 0 filtered ------

Filter the session entry based on source IP and ping traffic:

diagnose sys session filter clear
diagnose sys session filter src 10.125.3.148
diagnose sys session filter proto 1
diagnose sys session list
total session 0 <- There is no session entry for ping traffic.

The ping traffic to destination IP 4.2.2.2 is generated, and the user traffic hits Firewall policy ID 4 (Upper policy):

diagnose sys session list

session info: proto=1 proto_state=00 duration=8 expire=59 timeout=0 flags=00000000 socktype=0 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
user=shah@fortiserver.com auth_server=root state=may_dirty authed acct-ext
statistic(bytes/packets/allow_err): org=540/9/1 reply=540/9/1 tuples=2
tx speed(Bps/kbps): 62/0 rx speed(Bps/kbps): 62/0
orgin->sink: org pre->post, reply pre->post dev=5->17/17->5 gwy=10.109.31.254/10.129.3.148
hook=post dir=org act=snat 10.129.3.148:1->4.2.2.2:8(10.109.17.69:60418)
hook=pre dir=reply act=dnat 4.2.2.2:60418->10.109.17.69:0(10.129.3.148:1)
misc=0 policy_id=4 pol_uuid_idx=554 auth_info=2 chk_client_info=0 vd=0
serial=004933db tos=ff/ff app_list=0 app=0 url_cat=0
rpdb_link_id=00000000 ngfwid=n/a
npu_state=0x040000
no_ofld_reason: non-npu-intf
total session 1

Generate and send the second radius start accounting message with class 'AAAA' that was received for the same source IP 10.129.3.148 for the same username shah@fortiserver.com. The previous RSSO user was overwritten with the new radius accounting packet with class 'AAAA':

2024-02-13 14:59:15 Received radius accounting event
2024-02-13 14:59:15 DB 0 insert [ep='shah@fortiserver.com' pg='AAAA' ip='10.129.3.148/32'] success
2024-02-13 14:59:15 Send accounting response

diagnose test application radiusd 3
2024-02-13 14:59:23 RADIUS server database [vd root]:
2024-02-13 14:59:23 "index","time left","ip","endpoint","block status","log status","profile group","ref count","use default profile"
2024-02-13 14:59:23 1,07:59:52,"10.129.3.148""shah@fortiserver.com","allow","no log","AAAA",1,No
2024-02-13 14:59:23

diagnose firewall auth list

10.129.3.148, shah@fortiserver.com
type: rsso, id: 0, duration: 72, idled: 0
flag(10): radius
server: root
packets: in 38 out 75, bytes: in 2280 out 5076
group_id: 3 2
group_name: rsso.group.2 rsso.group.1 <- The user matches both of the above groups since 'AAAA' is the same as 'aaaa' on FortiGate.

----- 1 listed, 0 filtered ------

Ping traffic is generated to the destination IP 8.8.4.4 as well. Both the old (4.2.2.2) and new user traffic (8.8.4.4) still hit the upper firewall policy ID 4:

diagnose sys session list

session info: proto=1 proto_state=00 duration=7 expire=59 timeout=0 flags=00000000 socktype=0 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
user=shah@fortiserver.com auth_server=root state=may_dirty authed acct-ext
statistic(bytes/packets/allow_err): org=480/8/1 reply=480/8/1 tuples=2
tx speed(Bps/kbps): 66/0 rx speed(Bps/kbps): 66/0
orgin->sink: org pre->post, reply pre->post dev=5->17/17->5 gwy=10.109.31.254/10.129.3.148
hook=post dir=org act=snat 10.129.3.148:1->8.8.4.4:8(10.109.17.69:60418)
hook=pre dir=reply act=dnat 8.8.4.4:60418->10.109.17.69:0(10.129.3.148:1)
misc=0 policy_id=4 pol_uuid_idx=554 auth_info=2 chk_client_info=0 vd=0
serial=00493662 tos=ff/ff app_list=0 app=0 url_cat=0
rpdb_link_id=00000000 ngfwid=n/a
npu_state=0x040000
no_ofld_reason: non-npu-intf

session info: proto=1 proto_state=00 duration=63 expire=59 timeout=0 flags=00000000 socktype=0 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
user=shah@fortiserver.com auth_server=root state=may_dirty authed acct-ext
statistic(bytes/packets/allow_err): org=3780/63/1 reply=3780/63/1 tuples=2
tx speed(Bps/kbps): 58/0 rx speed(Bps/kbps): 58/0
orgin->sink: org pre->post, reply pre->post dev=5->17/17->5 gwy=10.109.31.254/10.129.3.148
hook=post dir=org act=snat 10.129.3.148:1->4.2.2.2:8(10.109.17.69:60418)
hook=pre dir=reply act=dnat 4.2.2.2:60418->10.109.17.69:0(10.129.3.148:1)
misc=0 policy_id=4 pol_uuid_idx=554 auth_info=2 chk_client_info=0 vd=0
serial=004933db tos=ff/ff app_list=0 app=0 url_cat=0 <- The session ID is the same after a class attribute was changed.
rpdb_link_id=00000000 ngfwid=n/a
npu_state=0x040000
no_ofld_reason: non-npu-intf
total session 2

Related documents:

• Technical Tip: Username case sensitivity implementation with Firewall authentication
• SSL VPN for remote users with MFA and user case sensitivity
• Technical Tip: Local user, username case sensitivity and accent sensitivity