This article describesthat Radius MFA may not work for the user that is part of another LDAP group on FortiGate.
The authentication will work, however, not via Radius but with LDAP
# config vpn ssl setting
When the authentication is taking place for user that is part of both these group, authentication will complete via LDAP.
FortiGate sends the authentication request to all the possible groups and against possible authentication server.
The request for authentication against Radius will be sent, but since there is MFA involved, it will take longer for Radius to authenticate. With LDAP, the request will be faster hence it will go through.
 __fnbamd_cfg_get_radius_list_by_group-Loading RADIUS server 'radius-test' for usergroup 'Radius-group' (4) <---- Radius request being sent.
 fnbamd_ldap_result-Passed group matching -<----- Matches an LDAP group.
Radius request was already sent, but since MFA is configured it will take time to authenticate and hence LDAP goes on to authenticate first causing MFA to fail.
 radius_stop-Timer of rad 'radius-test' is deleted
It is important to avoid using users that part of groups on two different authentication servers.
In this case, since RADIUS MFA was required, the user trying to authenticate should not be a part of LDAP-group also configured under authentication rules.