IPSec will be used for this use case, but the same can also be achieved with SSL VPN.

IPSec configuration, IKEv2 with peerid defined:

config vpn ipsec phase1-interface
    edit "FCT-VPN"
        set type dynamic
        set interface "port2"
        set ike-version 2
        set peertype one
        set net-device disable
        set mode-cfg enable
        set ipv4-dns-server1 10.191.35.53
        set proposal aes128-sha256 aes256-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384 chacha20poly1305-prfsha256
        set dpd on-idle
        set dhgrp 20
        set eap enable
        set eap-identity send-request
        set authusrgrp "ipsec-vpn-admin"
        set peerid "dialup2"
        set ipv4-start-ip 192.168.10.1
        set ipv4-end-ip 192.168.10.10
        set client-auto-negotiate enable
        set client-keep-alive enable
        set psksecret ENC e+mq0a1k17e+Aa  
        set dpd-retryinterval 60
    next
end

config vpn ipsec phase2-interface
    edit "FCT-VPN-TEST"
        set phase1name "FCT-VPN"
        set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
        set dhgrp 20
    next
end

RADIUS configuration (the accounting needs to be configured on the CLI):

config user radius
    edit "radius01"
        set server "10.191.35.53"
        set secret ENC 0ueCcsRMVRcfr5nElt
        set timeout 30
        set acct-interim-interval 600
        set auth-type ms_chap_v2
            config accounting-server
                edit 1
                    set status enable
                    set server "10.191.35.53"
                    set secret ENC ILCYdcfrWy/Bd6e7xtrI
                    set port 1813
                next
            end
    next
end

Group configuration:

config user group
    edit "ipsec-vpn-admin"
        set member "radius01"
    next
end

Now the configuration on the RADIUS Server (Windows NPS):

• Configuration of the RADIUS Client: Defining RADIUS Client (FortiGate) and shared secret.

• Configuration of the Remote RADIUS Server: Here, it should be configured with the details of the FSSO CA Server for Accounting.

• Configuration of the CRQ (connection request policy): Configuring connection request policy to authenticate in this server and forward accounting to the FSSO CA server using the 'FSSO_CA' Remote Radius Server Group (created on the previous step).

• Configuration of the NP (network policies): Here it should be configured the users/groups that should be authenticated using EAP-MS-CHAPv2.

• Configuration of FSSO CA: On the FSSO CA server, RADIUS Accounting should be configured on Advanced Settings -> RADIUS Accounting with the port and shared secret used on the NPS Server.

What happens behind the scenes when authentication and accounting processes are initiated?

After the successful authorization and authentication (for that check RADIUS messages here: Technical Tip: Explanation of authentication methods of a radius server setting on a FortiGate), the FortiGate sends an Accounting-Request (Start) to the RADIUS Server (NPS), and RADIUS Server will proxy this Accounting-Request (Start) to the FSSO CA.

The FSSO CA will reply with an Accounting-Response to the RADIUS Server, and this reply will go to the FortiGate.

In a diagram, it should be something like this: 

A capture on the RADIUS Server will show us the Accounting Messages exchanged between the FortiGate and RADIUS Server and between the RADIUS Server and FSSO CA.

• Accounting-Request (Start) between FortiGate and RADIUS Server.

• Accounting-Request (Start) between RADIUS Server and FSSO CA.

Analyzing the fnbamd output, the Accounting-Request (Start) and Accounting-Response should be like this:

FGT # diagnose debug app fnbamd -1

FGT # diagnose debug enable

[1075] fnbamd_cfg_get_radius_acct_list-
[456] fnbamd_rad_get-vfid=0, name='radius01'
[1082] fnbamd_cfg_get_radius_acct_list-Loaded RADIUS server 'radius01'
[1091] fnbamd_cfg_get_radius_acct_list-Total rad servers to try: 1
[936] fnbamd_rad_get_auth_server-
[1172] fnbamd_rad_auth_ctx_init-User ha_relay? 0.
[1107] __auth_ctx_svr_push-Added addr 10.191.35.53:1813 from rad 'radius01'
[930] __fnbamd_rad_get_next_addr-Next available address of rad 'radius01': 10.191.35.53:1813.
[1125] __auth_ctx_start-Connection starts radius01:10.191.35.53, addr 10.191.35.53:1813 proto: UDP
[280] __rad_udp_open-Opened radius socket 10, sa_family 2
[945] __rad_conn_start-Socket 10 is created for rad 'radius01'.
[807] __rad_add_job_timer-
[1447] create_acct_session-Acct type 6 session created, 0xf4f5b10
[828] __rad_rxtx-fd 10, state 4(Acct) <---- Accounting Request.
[830] __rad_rxtx-Stop rad conn timer.
[837] __rad_rxtx-
[1041] fnbamd_rad_make_acct_request-
[989] __create_acct_request-Compose RADIUS request
[1028] __create_acct_request-Created RADIUS Acct-Request. Len: 186.
[1171] fnbamd_socket_update_interface-vfid is 0, intf mode is 0, intf name is , server address is 10.191.35.53:1813, source address is null, protocol number is 17, oif id is 0
[353] __rad_udp_send-oif=0, intf_sel.mode=0, intf_sel.name=
[868] __rad_rxtx-Sent radius req to server 'radius01': fd=10, IP=10.191.35.53(10.191.35.53:1813) code=4 id=70 len=186
[877] __rad_rxtx-Start rad conn timer.
[828] __rad_rxtx-fd 10, state 4(Acct)
[830] __rad_rxtx-Stop rad conn timer.
[880] __rad_rxtx-
[431] __rad_udp_recv-Recved 20 bytes. Buf sz 8192
[1095] fnbamd_rad_validate_acct_pkt-RADIUS resp code 5  <---- Accounting Response.
[912] __rad_rxtx-
[2971] fnbamd_rad_acct_result-res 0, session 0xf4f5b10, id = 0
[2976] fnbamd_rad_acct_result-Acct session completed
[1347] fnbamd_rads_destroy-
[516] fnbamd_rad_auth_ctx_free-Freeing 'radius01' ctx
[1219] fnbamd_rad_auth_ctx_uninit-
[969] __rad_stop-
[306] __rad_udp_close-closed.
[964] __rad_conn_stop-Stop rad conn timer.
[784] __rad_del_job_timer-
[364] fnbamd_rad_free-Freeing radius01, ref:2
[41] __rad_server_free-Freeing 10.191.35.53, ref:2
[519] fnbamd_rad_auth_ctx_free-
[1350] fnbamd_rads_destroy-
[1354] destroy_acct_session-Acct session destroyed

After a successful authentication and accounting as user 'normal.user', the FSSO CA 'Logon users list' and firewall auth list displays will display the information from the authenticated users.

FGT # diagnose firewall auth list

192.168.10.1, NORMAL.USER
type: fsso, id: 0, duration: 30, idled: 10
server: FSSO_CA
packets: in 17 out 284, bytes: in 3124 out 22353
group_id: 33554439 33554483 33554455
group_name: CONTOSO/DOMAIN USERS CONTOSO/IPSEC-VPN-RESTRICT CONTOSO/USERS

----- 2 listed, 0 filtered ------

An example of accessing the web server (10.191.35.53 with FQDN intranet.contoso.com) with two different users from two different groups (from IPSec VPN) will be used for testing:

• Advanced user (advanced.user): User belonging to 'IPSEC-VPN-ADMIN' group that will access the web server through policy ID 2.

• Normal user (normal.user): User belonging to 'IPSEC-VPN-RESTRICT' group in which the access to the webserver will match policy ID 3 and will be blocked by the Web Filter profile with a Web Filter message. This last step is optional, it could be a simple deny policy without using any UTM profile.

After trying to reach intranet.contoso.com with user 'normal.user', this is the output.

date=2025-05-29 time=15:17:51 eventtime=1748528271058134316 tz="+0100" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" srcip=192.168.10.1 srcport=61571 srcintf="FCT-VPN" srcintfrole="undefined" dstip=10.191.35.53 dstport=80 dstintf="port1" dstintfrole="undefined" srccountry="Reserved" dstcountry="Reserved" sessionid=55573 proto=6 action="close" policyid=3 policytype="policy" poluuid="5ff5b85c-3bb8-51f0-af81-64a0ccf80d79" policyname="To_Servers_block" user="NORMAL.USER" authserver="FSSO_CA" dstuser="ADMINISTRATOR" service="HTTP" trandisp="snat" transip=10.191.35.40 transport=61571 appcat="unscanned" duration=40 sentbyte=572 rcvdbyte=36642 sentpkt=14 rcvdpkt=30 vpntype="ipsecvpn" utmaction="block" countweb=1 utmref=65528-14

date=2025-05-29 time=15:26:49 eventtime=1748528808853897976 tz="+0100" logid="0000000020" type="traffic" subtype="forward" level="notice" vd="root" srcip=192.168.10.1 srcport=54542 srcintf="FCT-VPN" srcintfrole="undefined" dstip=10.191.35.53 dstport=80 dstintf="port1" dstintfrole="undefined" srccountry="Reserved" dstcountry="Reserved" sessionid=56516 proto=6 action="accept" policyid=2 policytype="policy" poluuid="c6b1a8ea-3bb7-51f0-94f6-241965f45166" policyname="To_Servers" user="ADVANCED.USER" group="CONTOSO/IPSEC-VPN-ADMIN" authserver="FSSO_CA" dstuser="ADMINISTRATOR" service="HTTP" trandisp="snat" transip=10.191.35.40 transport=54542 appcat="unscanned" duration=125 sentbyte=1181 rcvdbyte=4187 sentpkt=8 rcvdpkt=8 vpntype="ipsecvpn" sentdelta=1181 rcvddelta=4187 durationdelta=125 sentpktdelta=8 rcvdpktdelta=8

Related articles: 

Technical Tip: Explanation of authentication methods of a radius server setting on a FortiGate 

Technical Tip: Configuring a Radius server