FortiGate supports RADIUS single sign-on (RSSO), allowing it to recognize users who have already been authenticated by an external RADIUS server. Depending on the user group assigned to each individual, FortiGate enforces the corresponding security policies and UTM (Unified Threat Management) profiles.

Rather than directly communicating with the RADIUS server, FortiGate passively listens to RADIUS accounting messages sent by the RADIUS client. These messages contain key details such as the user's IP address and group membership.

For more details, refer to RADIUS single sign-on agent

An issue can be observed with applying the firewall policies according to this RADIUS accounting information after the firewall has been upgraded to any 7.6 version up to v7.6.2.

To verify this, collect the debug logs:

diagnose debug disable

diagnose debug reset

diagnose debug application fnbamd -1

diagnose debug application radiusd -1

diagnose debug enable

To stop debugging:

diagnose debug disable

diagnose debug reset

In debugs, the following logs can be seen repeating multiple times:

unsupported vendor id 14823.
Parse error: Vendor Specific
unsupported vendor id 14823.
Parse error: Vendor Specific
unsupported vendor id 14823.

Note:

The vendor ID may vary.

Solution:

This is a known issue, tracked under reported ID: 1136244, which happens when the firewall is only expecting a certain vendor-id therefore, the accounting information is not processed when a packet is received with a different vendor ID attribute.

This issue has been resolved on v7.6.3 onwards.

Related document:

Resolved issues