The issue only occurs when a captive portal is configured. Captive portal is set to require authentication before web resources can be accessed and to limit access to members of specific user groups. 

In this case, multiple user groups are configured to authenticate and have access. 

In this instance, the user is authenticated to every user group in the FortiGate Dashboard under Firewall User Monitor. 

As shown in the picture below, the user(s) are successfully authenticated and part of every user group, but the user is only a member of one user group, which is the Alumni Association group. 

Using authentication debug commands, it is possible to get information about why the user is being authenticated and become a member of all user groups. 

FGT# diagnose debug enable

FGT# diagnose debug application fnbamd 255 

The debug output shows below that the user is authenticated through the RADIUS server, and all_usergroup is enabled. 

In the Radius settings, if 'Include in every user group' is enabled (as indicated in the red box below), the user will authenticate and be part of all the user groups. Disabling this section will allow the user to be part of its specified user group.