Steps on NPS Server:

Define the 'Class' Attribute on the Network Policies in Windows NPS Server.
Reference picture:

Steps on FortiGate Firewall:

Step 1: Enable class attribute override under Radius configuration using CLI.

config user radius

    edit "radius-windows-2019"

        set server "192.168.1.200"
        set secret ENC WY0cw6l7yzf1numn1WIEv6H4aaMXmySak+NfqVrxD0qTx1WijuQZJ
        set group-override-attr-type class <-------

    next

end

Note: It is important to enable override, otherwise class attribute is ignored and FortiGate will not show Group Membership(s) in Step 2.

Step 2: Using FortiGate CLI, confirm if FortiGate is receiving Group Membership(s) from the NPS server.

lab # diagnose test authserver radius radius-windows-2019 pap user1 password

authenticate 'user1' against 'pap' succeeded, server=primary assigned_rad_session_id=17158578049066 session_timeout=0 secs idle_timeout=0 secs!
Group membership(s) - group-1

Step 3: As confirmed in Step 2 FortiGate is receiving the 'group-1' Group Membership(s), next step is to define the user-group for reference in SSL VPN (in this example).

config user group

    edit "usergroup1"

        set member "radius-windows-2019"

            config match

                edit 1

                    set server-name "radius-windows-2019"
                    set group-name "group-1" <-----------

                next

            end

    next

end

Step 4: For testing, configure SSL VPN and use this 'usergroup1' in the SSL VPN Authentication Portal and the Firewall Policy.

Interesting fnbamd debug for class attribute verification:

lab # diagnose debug application fnbamd -1

lab # diag deb en
.
truncated
.

[431] __rad_udp_recv-Recved 99 bytes. Buf sz 8192
[1216] fnbamd_rad_validate_pkt-RADIUS resp code 2
[912] __rad_rxtx-
[1286] fnbamd_rad_process-Result from radius svr 'radius-windows-2019' is 0, req 17652505976835
[487] fnbamd_rad_get_vsas-Override group attr, type 25, val group-1 <<------- received group membership from Radius Server
[1485] fnbamd_rad_process-Challenged: 0, FTK_Challenge: 0, CHG_PWD: 0, Invaid_Digest: 0, State_Len: 0
[627] fnbam_user_auth_group_match-req id: 17652505976835, server: radius-windows-2019, local auth: 0, dn match: 0
[581] __group_match-Check if radius-windows-2019 is a group member
[587] __group_match-Group 'usergroup1' passed group matching
[590] __group_match-Add matched group 'usergroup1'(2) <<------- Group matching completed.
[206] find_matched_usr_grps-Passed group matching
[909] update_auth_token_session-config does not require 2fa
[239] fnbamd_comm_send_result-Sending result 0 (nid 0) for req 17652505976835, len=2663
.
truncated
.

Once connected successfully to the SSL VPN, confirm the authentication details using the CLI:

lab # diagnose firewall auth list

10.212.134.200, user1 <------ user-name.
type: fw, id: 0, duration: 36, idled: 9
expire: 28790, allow-idle: 28799
flag(80): sslvpn
server: radius-windows-2019 <------ RADIUS server.
packets: in 625 out 355, bytes: in 723124 out 30737
group_id: 2
group_name: usergroup1 <------ user-group name.

----- 1 listed, 0 filtered ------

Alternatively, Vendor Specific Attribute(s) can be used for Group Matching: Restricting RADIUS user groups to match selective users on the RADIUS server.

Related articles:

Technical Tip: Authentication, Remote server group match of user group configuration with RADIUS ser...

Troubleshooting Tip: How to test FortiGate's radius user authentication to the RADIUS server