cchiriches
Staff
Staff
Description This article describes how to fix 'user not filtered by groups' error.
Scope FortiAuthenticator 6.x.
Solution

If the following failure message appears in Logs ( Log Access -> Log Access -> Logs), go over to radius debug for more details.

 

Message Local administrator authentication with no token failed: user not filtered by groups
User user1

 

Access the following and look for the same error:
https://<YOURFACIP>/debug/radius/

 

fortiauth radiusd[1256]: Waking up in 0.6 seconds.
fortiauth radiusd[1256]: (57) Received Access-Request Id 3 from 10.191.19.149:12668 to 10.5.20.234:1812 length 121
fortiauth radiusd[1256]: (57) NAS-Identifier = "fortigate"
...
fortiauth radiusd[1256]: (57) facauth: Found authpolicy 'fgt-mercedes-kvm50-radius-policy' for client '10.191.19.149'
...
fortiauth radiusd[1256]: (57) facauth: ERROR: ERROR: local user 'user1' not filtered against NAS groups
fortiauth radiusd[1256]: (57) facauth: Updated auth log 'user1': Local administrator authentication(chap) with no token failed: user not filtered by groups
fortiauth radiusd[1256]: (57) # Executing group from file /usr/etc/raddb/sites-enabled/default
fortiauth radiusd[1256]: Waking up in 0.3 seconds.
fortiauth radiusd[1256]: (57) Sent Access-Reject Id 3 from 10.5.20.234:1812 to 10.191.19.149:12668 length 20
fortiauth radiusd[1256]: Waking up in 56.9 seconds.

 

Check if the correct radius policy has been matched.
Go onto the policy and check for the filtered group/groups.

 

radius.jpg

 

Make sure the affected user is a member of the group/groups defined/imported on the FortiAuthenticator.

 

group.jpg

Result

...

Message Local administrator authentication with no token successful
User user1

...

...

fortiauth radiusd[1256]: (62) facauth: Updated auth log 'user1': Local administrator authentication with no token successful

...

Related article

https://community.fortinet.com/t5/FortiAuthenticator/Troubleshooting-Tip-How-to-work-with-FortiAuthe...

 

Contributors