When a user connects to a different AP using WPA2-Enterprise with radius authentication, most groups assigned to the user are not retained. Only one of the user's groups is kept, which may result in incorrect access control depending on firewall policy configuration.

For an example configuration affected by this issue, refer to the FortiAP Configuration Guide | Configuring WiFi with WSSO

Example diagnostic output after initial connection:

diagnose firewall auth list

10.0.0.10, nkor1
type: wsso, id: 0, duration: 69, idled: 0
expire: 300, allow-idle: 300
flag(110): radius wsso
server: ftntlab
packets: in 155 out 211, bytes: in 57235 out 14299
group_id: 2 3 6 7
group_name: Group1 Group2 Group3 Group4

10.0.0.10, nkor1
type: other, id: 0, duration: 69, idled: 69
flag(10): radius
server: ftntlab
packets: in 0 out 0, bytes: in 0 out 0

----- 2 listed, 0 filtered ------

After the client roams and connects to another AP, the firewall user list shows only one group:

diagnose firewall auth list

10.0.0.10, nkor1
type: wsso, id: 0, duration: 6, idled: 6
expire: 294, allow-idle: 300
flag(110): radius wsso
server: ftntlab
packets: in 0 out 36, bytes: in 0 out 2305
group_id: 2
group_name: Group1

10.0.0.10, nkor1
type: other, id: 0, duration: 6, idled: 6
flag(10): radius
server: ftntlab
packets: in 0 out 0, bytes: in 0 out 0

Workaround:
Configure policies on a remote RADIUS server to return only the most relevant group, depending on the user and access method.

Resolution:

This issue is scheduled to be fixed in the upcoming v7.6.4.

Related document:

FortiAP Configuration Guide | WiFi Single Sign On