Help
FortiAuthenticator
FortiAuthenticator provides centralized authentication services for the Fortinet Security Fabric including multi-factor authentication, single sign-on services, certificate management, and guest management.
slovepreet
Staff
Staff

Created on ‎01-12-2026 01:18 PM

Article Id 425930

Technical Tip: Distinguishing user groups for IPsec VPN authentication when using FortiGate and FortiAuthenticator

Description This article describes how to distinguish user groups during IPsec VPN authentication when FortiGate is integrated with FortiAuthenticator and users are migrating from SSL VPN to IPsec VPN.
Authentication failures can occur when multiple user groups exist, and RADIUS attributes are not configured correctly on FortiAuthenticator.
Scope FortiGate, FortiAuthenticator, IPsec VPN, SSL VPN.
Solution

When FortiGate authenticates users for an IPsec tunnel using FortiAuthenticator, group matching relies on RADIUS attributes returned by FortiAuthenticator. In migration scenarios, two distinct user groups may exist, such as 'SSLvpnuser' and 'IPsecuser'.


If the IPsec VPN user is not configured with the appropriate RADIUS attributes on FortiAuthenticator, the authentication request may be matched against the SSL VPN user group instead. This mismatch causes authentication or tunnel establishment failures.

 

On FortiAuthenticator, the RADIUS or LDAP backend user must be configured to return the Fortinet Vendor-Specific Attribute for group name matching. If the attribute is missing or incorrectly set, FortiGate may incorrectly associate the user with the SSL VPN group.

 

For example, FortiGate is configured with two user groups, 'SSLVPNusers' for SSL VPN authentication and 'IPsecVPNusers' for IPsec VPN authentication, as shown in the picture below.

 

FortiGate user Groups:

 

FortiGate side configuration.png

 

On the FortiAuthenticator, the same two groups were configured as shown below. 

 

Fortiauthenticator configuration.png

 

But, only the 'SSLVPNUser' group on the FortiAuthenticator is set with the 'Radius attribute' configuration, and the 'IPsecVPNuser' group's 'Radius attribute' is left blank, as shown in the picture below:

 

SSL VPN users.png

 

This would lead to an issue with the group mismatch when attempting to connect to the VPN. 

 

The issue can be confirmed on FortiGate by enabling authentication debugging.

Run the following commands on FortiGate.

 

diagnose debug reset
diagnose debug application fnbamd -1
diagnose debug enable

 

During the failed authentication attempt, debug output will show an error indicating group mismatch. A common message observed is 'Failed group matching'.

 

Failed group matching.png

 

To prevent this issue, configure explicit RADIUS attributes on FortiAuthenticator for each user group.

Ensure the following configuration is in place on FortiAuthenticator.

Define separate user groups for SSL VPN and IPsec VPN authentication.

Configure RADIUS attributes for each group.

Set the Fortinet Group Name attribute to match the corresponding user group name configured on FortiGate.

 

Group attributes on FortiAuthenticator:

 

IPsec Group.png

 

SSL VPN users.png

 

The Fortinet Group Name values must exactly match the user group names configured on FortiGate. After the correct RADIUS attributes are configured, FortiGate will correctly distinguish between SSL VPN and IPsec VPN users during authentication. This ensures successful group matching and allows IPsec VPN connections to establish as expected.
90
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2026 Fortinet, Inc. All Rights Reserved.