Description
This article explains why FortiAuthenticator is not sending the 'Fortinet-Group-Name' AVP in the Radius Access-Accept message.
Scope
FortiAuthenticator v6.4.
Solution
Capturing the Radius traffic between FortiAuthenticator and FortiGate, As per the pcap screenshot FortiAuthenticator doesn’t send 'Fortinet-Group-Name' AVP.
Radius attributes and user group settings are configured in further way on the FortiAuthenticator:
FortiGate as Radius client is configured. In the Radius policy, 'Identity source' LDAP server is defined.
To send Radius attributes, user needs to enable 'Use default realm when user-provided realm is different from all configured realms' under the 'Identity source' in Radius policy.
Also, enable 'Filter' and select user group that was configured.
Now in packet capture one can see this time 'Fortinet-Group-Name' AVP.
Related Article: https://community.fortinet.com/t5/FortiAuthenticator/Technical-Tip-Radius-authentication-with-FortiA...
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2023 Fortinet, Inc. All Rights Reserved.