This article describes how the option 'Include in every user group' in the RADIUS server configuration on FortiGate might lead to incorrect RADIUS authentication in SSL VPN connections.

The option 'Include in every user group' should be enabled on the RADIUS server in special cases where every SSL VPN user must be matched with all locally configured RADIUS groups on FortiGate itself.

config user radius
    edit <name>
        set all-usergroup enable

    next
end

Here is a config example that shows when a user is connected to the SSL VPN, is authenticated as a member of an incorrect SSLVPN group according to the config on FortiGate:

• Configure the RADIUS server and enable 'Include in every user group' via GUI or enable 'all-usergroup' via CLI:

config user radius

    edit "radius.server"

        set server "10.125.5.129"

        set secret <secret_key>

        set all-usergroup enable  <---------

        set nas-ip 10.125.0.203

    next

end

• Configure one local RADIUS user and create the first RADIUS group, and enable the created local RADIUS user:

config user local

    edit "zilan"

        set type radius

        set radius-server "radius.server"

    next

end

config user group

    edit "radius.users-1"  <----- This RADIUS group has only one local radius user as a member.

        set member "zilan"

    next

end

• Configure a second radius group and enable only the RADIUS server:

config user group

    edit "radius.users-2"

        set member "radius.server"

    next

end

• Enable RADIUS groups on the SSL VPN setting and SSL VPN firewall policy as below:

config vpn ssl settings

    set servercert "Fortinet_Factory"

    set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"

    set tunnel-ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"

    set source-interface "wan1"

    set source-address "all"

    set source-address6 "all"

    set default-portal "full-access"

        config authentication-rule

            edit 1

                set groups "radius.users-1"  <-------------

                set portal "tunnel-access"

            next

        end

end

config firewall policy

    edit 4

        set name "sslvpn-out"

        set srcintf "ssl.root"

        set dstintf "wan1"

        set action accept

        set srcaddr "all"

        set dstaddr "all"

        set schedule "always"

        set service "ALL"

        set nat enable

        set groups "radius.users-1""radius.users-2" <-------------

    next

end

Run the following debugging commands to see the authentication result after the user is connected to the SSL VPN:

diagnose debug disable
diagnose debug reset
diagnose debug console timestamp enable
diagnose debug app fnbamd -1
diagnose debug app sslvpn -1
diagnose debug enable

The user 'sara' is expected to be authenticated only as a member of the radius group "radius.users-2", but debug output shows the user 'sara' is authenticated as a member of radius group 'radius.users-1' as well which is incorrect as per above config since this group 'radius.users-1' has only one local radius user member named 'zilan':

Note: As per FortiOS design, both enabled radius groups on the SSL VPN firewall policy will be checked by FortiGate.

2023-07-31 04:26:44 [1385] fnbamd_auth_handle_radius_result-->Result for radius svr 'radius.server' 10.125.5.129(1) is 0
2023-07-31 04:26:44 [1653] fnbam_user_auth_group_match-req id: 1543803009, server: radius.server,

local auth: 0, dn match: 0
2023-07-31 04:26:44 [1622] __group_match-Group 'radius.users-1' passed group matching  <-----
2023-07-31 04:26:44 [1625] __group_match-Add matched group 'radius.users-1'(3)
2023-07-31 04:26:44 [1622] __group_match-Group 'radius.users-2' passed group matching <-----
2023-07-31 04:26:44 [1625] __group_match-Add matched group 'radius.users-2'(4)
2023-07-31 04:26:44 [277] find_matched_usr_grps-Passed group matching
2023-07-31 04:26:44 [216] fnbamd_comm_send_result-Sending result 0 (nid 0) for req 1543803009,

len=2141
2023-07-31 04:26:44 [257:root:4]fam_auth_proc_resp:1352 fnbam_auth_update_result return: 0 (success)
2023-07-31 04:26:44 [257:root:4][fam_auth_proc_resp:1451]

Authenticated groups (2) by FNBAM with auth_type (2):
2023-07-31 04:26:44 [257:root:4]Received: auth_rsp_data.grp_list[0] = 3
2023-07-31 04:26:44 [257:root:4]fam_auth_proc_resp:1476 found node radius.users-1:0:, valid:1, auth:0
2023-07-31 04:26:44 [257:root:4]Validated: auth_rsp_data.grp_list[0] = radius.users-1
2023-07-31 04:26:44 [257:root:4]Received: auth_rsp_data.grp_list[1] = 4
2023-07-31 04:26:44 [257:root:4]fam_auth_proc_resp:1476 found node radius.users-2:0:, valid:1, auth:0
2023-07-31 04:26:44 [257:root:4]Validated: auth_rsp_data.grp_list[1] = radius.users-2
2023-07-31 04:26:44 [257:root:4]Auth successful for user sara in group radius.users-1 <-----
2023-07-31 04:26:44 [257:root:4]fam_do_cb:665 fnbamd return auth success.
2023-07-31 04:26:44 [257:root:4]SSL VPN login matched rule (1).
2023-07-31 04:26:44 2023-07-31 04:26:44 [789] destroy_auth_session-delete session 1543803009
2023-07-31 04:26:44 [257:root:4]User Agent: FortiSSLVPN (Windows NT; SV1 [SV{v=02.01; f=07;}])
2023-07-31 04:26:44 [2383] handle_req-Rcvd 6 req
2023-07-31 04:26:44 [257:root:4]rmt_web_session_create:1209 create web session, idx[0]
[308] fnbamd_acct_start_START-Error getting radius server
2023-07-31 04:26:44 2023-07-31 04:26:44 [1446] create_acct_session-Error start acct type 6
2023-07-31 04:26:44 [2396] handle_req-Error creating acct session 6
[257:root:4]login_succeeded:536 redirect to hostcheck
2023-07-31 04:26:44 [257:root:4]User Agent: FortiSSLVPN (Windows NT; SV1 [SV{v=02.01; f=07;}])
2023-07-31 04:26:44 [257:root:4]deconstruct_session_id:709 decode session id ok, user=[sara], group=[radius.users-1],authserver=[radius.server],portal=[tunnel-access],host[10.125.5.132],realm=[],csrf_token=[<token>],idx=0,auth=2,sid=6d59d1f5,login=1690770404,access=1690770404,saml_logout_url=no,pip=no,

grp_info=[QHpHzE],rmt_grp_info=[fFGbPD]
2023-07-31 04:26:44 [257:root:4]deconstruct_session_id:709 decode session id ok, user=[sara], group=[radius.users-1],authserver=[radius.server],portal=[tunnel-access],host[10.125.5.132],realm=[],

csrf_token=[<token>],idx=0,auth=2,sid=6d59d1f5,login=1690770404,access=1690770404,saml_logout_url=no,pip=no,

grp_info=[QHpHzE],rmt_grp_info=[fFGbPD]

• List the connected SSLVPN users on FortiGate. In the list, the user 'sara' is authenticated as a member of the incorrect SSL VPN group radius.users-1'.

get vpn ssl monitor
SSL-VPN Login Users:
Index User Group Auth Type Timeout Auth-Timeout From HTTP in/out HTTPS in/out Two-factor Auth
0 sara radius.users-1 radius.users-2 2(1) 292 28678 10.125.5.132 0/0 0/0 0 <--------- 

SSL-VPN sessions:
Index User Group Source IP Duration I/O Bytes Tunnel/Dest IP
0 sara radius.users-1 radius.users-2 10.125.5.132 122 0/0 10.212.134.200 

To resolve this issue option 'Include in every user group' must be disabled in the RADIUS server settings on FortiGate as follows:

config user radius
    edit "radius.server"
        set all-usergroup disable
    next
end