Description | This article describes how the 'Class' Attribute of type String, defined in Network Policy on Windows NPS Server can be used to match the user-group(s) in the FortiGate. |
Scope | FortiOS. |
Solution |
Steps on NPS Server: Define the 'Class' Attribute on the Network Policies in Windows NPS Server.
Steps on FortiGate Firewall: Step 1: Enable class attribute override under Radius configuration using CLI.
config user radius edit "radius-windows-2019" set server "192.168.1.200" next end
Note: It is important to enable override, otherwise class attribute is ignored and FortiGate will not show Group Membership(s) in Step 2.
Step 2: Using FortiGate CLI, confirm if FortiGate is receiving Group Membership(s) from the NPS server.
lab # diagnose test authserver radius radius-windows-2019 pap user1 password
authenticate 'user1' against 'pap' succeeded, server=primary assigned_rad_session_id=17158578049066 session_timeout=0 secs idle_timeout=0 secs!
Step 3: As confirmed in Step 2 FortiGate is receiving the 'group-1' Group Membership(s), next step is to define the user-group for reference in SSL VPN (in this example).
config user group edit "usergroup1" set member "radius-windows-2019" config match edit 1 set server-name "radius-windows-2019" next end next end
Step 4: For testing, configure SSL VPN and use this 'usergroup1' in the SSL VPN Authentication Portal and the Firewall Policy.
Interesting fnbamd debug for class attribute verification:
lab # diagnose debug application fnbamd -1 lab # diag deb en [431] __rad_udp_recv-Recved 99 bytes. Buf sz 8192
lab # diagnose firewall auth list
10.212.134.200, user1 <------ user-name. ----- 1 listed, 0 filtered ------
Alternatively, Vendor Specific Attribute(s) can be used for Group Matching: Restricting RADIUS user groups to match selective users on the RADIUS server.
Related articles: Troubleshooting Tip: How to test FortiGate's radius user authentication to the RADIUS server |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.