Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ksivadas
Staff
Staff

Created on ‎09-02-2025 09:47 PM

Article Id 406818

Technical Tip: WSSO Firewall Authentication Session Not Created using RADIUS authentication

Description This article addresses a Known Issue involving a WPA2-Enterprise SSID using RADIUS authentication. The FortiGate (acting as the WiFi controller) can receive multiple Fortinet-Group-Name attributes from the RADIUS server and tries to create a Wireless Single Sign-On (WSSO) firewall authentication session with all groups provided. However, if the first group listed does not exist on the FortiGate, the firewall authentication session fails to be created, even if the other groups are valid.
Scope

FortiGate v7.4.7, v7.6.2 and earlier. WPA2-Enterprise tunnel SSID using RADIUS authentication.
Solution

When the WiFi controller receives multiple Fortinet-Group-Name attributes from the RADIUS server, it processes each group in sequential order. In v7.4.7, v7.6.2, and earlier, the FortiGate expects all groups to exist as a local User Group, and if the first group (for example, 'Group1') is not found in the configuration, then no groups are included in the user's authentication information.

 

This results in failed WSSO firewall authentication despite the user being a member of valid groups listed later in the attributes. Consider the following example scenario/configuration:

Example Configuration:

Wireless controller configuration:

 

config wireless-controller vap

edit 'wifi3'

set ssid 'CORP_Staff'
set security wpa2-only-enterprise
set auth radius
set radius-server 'fac'
set schedule 'always'

next

end

User on RADIUS server with attributes:

  • Fortinet-Group-Name: Group1
  • Fortinet-Group-Name: Group2

FortiGate user group:

 

config user group

edit 'Group2'

set member 'fac'

config match

edit 1

set server-name "fac"
set group-name "Group2"

next

end

next

end

Firewall policy allowing Group2:

 

config firewall policy

edit 3

set name 'wsso'
set srcintf 'wifi3'
set dstintf 'wan1'
set action accept
set srcaddr 'all'
set dstaddr 'all'
set schedule 'always'
set service 'ALL'
set nat enable
set groups 'Group2'

next

end

 

After a client connects, Group1 is recorded in the station list, but no WSSO firewall authentication session is created due to the absence of Group1 on the FortiGate's list of local User Groups:

diagnose wireless-controller wlac -d sta online
vf=0 mpId=5 wtp=3 rId=2 wlan=wifi3 vlan_id=0 ip=10.10.10.10 ip6=:: mac=02:1A:2B:3C:4D:5E vci= host=WiFi-Client-2 user=test1 group=Group1 signal=-25 noise=-95 idle=10 bw=1 use=5 chan=149 radio_type=11AX_5G security=wpa2_only_enterprise mpsk= encrypt=aes cp_authed=no l3r=1,0 G=0.0.0.0:0,0.0.0.0:0-0-0 -- 0.0.0.0:0 0,0 online=yes mimo=2

diagnose firewall auth list
10.10.10.10, test1
type: other, id: 0, duration: 6, idled: 6
flag(10): radius
server: fac
packets: in 0 out 2, bytes: in 0 out 766
----- 1 listed, 0 filtered ------ 

Firewall authentication sessions are expected to be created for any matched group from the RADIUS attributes, irrespective of the attribute order. To resolve this issue, consider making one of the following changes:

  1. Add all missing User Groups to the FortiGate configuration so that WSSO can match all received Fortinet-Group-Name attributes.
  2. Upgrade the FortiGate firmware to v7.4.8, v7.6.3, or later. These versions enhance WSSO firewall authentication sessions and allow them to be created correctly with all valid groups present in the RADIUS attributes, regardless of their order. For reference, see Issue 1114144 in the FortiOS Release Notes.
184
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.