If the following failure message appears in the logs at Log Access -> Log Access -> Logs go over to radius debug for more details.

Local administrator authentication with no token failed: user not filtered by groups
User user1

Access the following and look for the same error (it may be necessary to enable the RADIUS debug mode with the debug button): https://fac-ip/debug/radius/ 

fortiauth radiusd[1256]: (57) Received Access-Request Id 3 from 10.191.48.149:12668 to 10.5.48.234:1812 length 121
fortiauth radiusd[1256]: (57) NAS-Identifier = "fortigate"
...
fortiauth radiusd[1256]: (57) facauth: Found authpolicy 'fgt.forti.lab' for client '10.191.48.149'
...
fortiauth radiusd[1256]: (57) facauth: ERROR: ERROR: local user 'user1' not filtered against NAS groups
fortiauth radiusd[1256]: (57) facauth: Updated auth log 'user1': Local administrator authentication(chap) with no token failed: user not filtered by groups
fortiauth radiusd[1256]: (57) # Executing group from file /usr/etc/raddb/sites-enabled/default
fortiauth radiusd[1256]: Waking up in 0.3 seconds.
fortiauth radiusd[1256]: (57) Sent Access-Reject Id 3 from 10.5.48.234:1812 to 10.191.48.149:12668 length 20

Check if the correct radius policy has been matched.
Go onto the policy and check for the filtered group/groups.

Make sure the affected user is a member of the group/groups defined/imported on the FortiAuthenticator. For example:

Result

...

Message Local administrator authentication with no token successful
User user1

...

...

fortiauth radiusd[1256]: (62) facauth: Updated auth log 'user1': Local administrator authentication with no token successful

...

Note:

The users cannot have a 'Pre-Windows 2000 Compatible Access Group' membership. For more information, see these Microsoft document links:

• 6.1.1.4.12.14 Pre-Windows 2000 Compatible Access Group Object
• Remove Authenticated Users from the PreWin2000

Related article:

Troubleshooting Tip: How to work with FortiAuthenticator Technical Support