matanaskovic
Staff
Staff

Description

 

This article explains why FortiAuthenticator is not sending the 'Fortinet-Group-Name' AVP in the Radius Access-Accept message.

 

Scope

 

FortiAuthenticator v6.4.

 

Solution

 

matanaskovic_0-1657032478583.png

 

Capturing the Radius traffic between FortiAuthenticator and FortiGate, As per the pcap screenshot FortiAuthenticator doesn’t send 'Fortinet-Group-Name' AVP.

 

Radius attributes and user group settings are configured in further way on the FortiAuthenticator:

 

matanaskovic_2-1657032718893.png

 

FortiGate as Radius client is configured. In the Radius policy, 'Identity source' LDAP server is defined.

 

matanaskovic_1-1657032563235.png

 

To send Radius attributes, user needs to enable 'Use default realm when user-provided realm is different from all configured realms' under the 'Identity source' in Radius policy.

 

Also, enable 'Filter' and select user group that was configured.

 

matanaskovic_3-1657032949492.png

 

Now in packet capture one can see this time 'Fortinet-Group-Name' AVP.

 

matanaskovic_4-1657033007876.png

 

Related Article: https://community.fortinet.com/t5/FortiAuthenticator/Technical-Tip-Radius-authentication-with-FortiA...