Let user consider User A (Test-tunnel) to only access the tunnel mode of the SSL VPN and User B (Test-webmode) to access web mode only on the unit.

First, create a User group for RADIUS in the unit with a specific RADIUS group name in the group. 

To configure the setup on GUI, go to User & Authentication -> User Group, select 'Create New+'.

The RADIUS server would be mapped in the remote group, and press the specific button to add the RADIUS group attribute to it.

A screenshot has been attached for reference for the GUI.

Find the configuration below to be performed from the CLI.

Tunnel mode:

config user group
    edit "Test-rad-tunnel"
        set member "10.100.4.117"
            config match
                edit 1
                    set server-name "10.100.4.117"
                    set group-name "Test-tunnel"
    next
end

Web mode:

config user group

    edit "Test-rad-webmode"
        set member "10.100.4.117"
            config match
                edit 1
                    set server-name "10.100.4.117"
                    set group-name "Test-webmode"
    next
end

Then, assign the user group to the appropriate SSL VPN profile in the authentication rule in the firewall policy.

To configure that on GUI, go to VPN-> SSL-VPN setting -> Authentication/Portal Mapping, select 'Create New'.

A dropdown menu will appear to select the required SSL VPN profile and User group.

config vpn ssl settings
    config authentication-rule
        edit 1
            set groups "Test-rad-tunnel"
            set portal "tunnel-access"

        next
        edit 2
            set groups "Test-rad-webmode"
            set portal "web-access"
    next
end 

The RADIUS server must be able to send the group-name attribute to the unit.

Only then, the unit be able to filter the correct user group and assign the correct SSL VPN profile to the user for access.

It is possible to collect pcap's from the firewall to verify if the server is sending the required RADIUS attribute.

To perform that, go to Network -> Packet Capture, selectCreate and set the port 1812 to filter Radius packets.

Below is the screenshot of PCAP output where the Group name attribute is sent to the firewall:

To troubleshoot the issue on the unit for this, use the following command:

diagnose debug reset

diagnose debug application fnbamd -1

diagnose debug application sslvpn -1 
diagnose debug enable 

To stop the debugs, use the following commands:

diagnose debug reset

diagnose debug disable

Find a sample output for successful authentication for SSL VPN below:

[1802] fnbamd_radius_auth_validate_pkt-RADIUS resp code 2
[320] extract_success_vsas-FORTINET attr, type 1, val Test-tunnel
[1383] fnbamd_auth_handle_radius_result-->Result for radius svr '10.100.4.117' 10.100.4.117(1) is 0
[1653] fnbam_user_auth_group_match-req id: 1524376797, server: 10.100.4.117, local auth: 0, dn match: 0
[1622] __group_match-Group 'Test-rad-tunnel' passed group matching
[1625] __group_match-Add matched group 'Test-rad-tunnel'(2)
[277] find_matched_usr_grps-Passed group matching

[3409:root:16]deconstruct_session_id:709 decode session id ok, user=[test-tunnel], group=[Test-rad-tunnel],authserver=[10.100.4.117],portal=[tunnel-access],host[10.32.76.92],realm=[],csrf_token=[CECD4391B576F76D9957B963C6F8B78],idx=1,auth=2,sid=58ec7ff5,login=1659091670,access=1659091670,

saml_logout_url=no,pip=10.32.76.92,grp_info=[
SCGF9Y],rmt_grp_info=[em4f4W]

Related documents:
Troubleshooting Tip: Packet Capture on FortiOS GUI

Configuring the SSL VPN tunnel