FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 206488
Description This articles describes when users are trying to go with SSL-VPN with MFA for radius authentication, such issues are usually encountered.
Scope FortiOS (all versions).

When users attempt to connect to SSL-VPN FortiClien with two-factor authentication specifically with Microsoft Azure, such error shows up:






In order to troubleshoot and narrow down this issue, follow these steps:


1) Take the debug logs with these commands:


# diag debug app sslvpn -
# diag debug app fnbamd -
# diag debug enable


2) Now, check the logs and see if this error is appearing:


[221:root:38e1]login_failed:388 user[syd0-NPS-test01],auth_type=1 failed [sslvpn_login_no_matching_policy]


3) This indicates that the group matching is getting failed on the firewall.

It is likely to happen when the Radius VSA being sent in the Radius access accept packet is not something the FortiGate understands, so it is recommended to correct that and make sure that the attribute is exactly the same such as group name (it is case sensitive).


FortiGate will look for RADIUS AVP Fortinet-Group-Name.


This is what the transaction will look like:




4) Note that some RADIUS servers like FortiAuthenticator can provide RADIUS attributes on a per-user or per-group basis.

So, either every single user has their own AVP, or the user is a group member and when authentication happens then the user inherits AVP from the group.


5) Make sure to follow the correct VSA Attributes to map on the radius server.    


6) If the issue still persists after getting the correct value in captures, open tickets with the TAC team.


Reference link below: