Help
FortiNAC-F
FortiNAC-F is a zero-trust network access solution that provides users with enhanced visibility into the Internet of Things (IoT) devices on their enterprise networks. For legacy FortiNAC articles prior to FortiNAC-F 7.2, see FortiNAC.
dodsonj
Staff
Staff

Created on ‎06-16-2025 10:27 AM

Article Id 396580

Technical Tip: Creating and using FortiNAC-F RADIUS Dynamic User Groups

Description This article describes how to create and use RADIUS Dynamic User Groups in FortiNAC-F by returning User Group Attributes from FortiAuthenticator
Scope FortiNAC-F and FortiAuthenticator
Solution

This articles assumes that the basic configuration and integration of FortiNAC-F and FortiAuthenticator has already been performed.

 

FortiAuthenticator:

 

Under Authentication -> User Management -> User Groups, select a group, and select Edit. Under RADIUS Attributes, select Fortinet for Vendor, select Fortinet-Group-Name for Attribute ID, enter a group name for Value.

 
labgroups.PNG

 

Note: This example uses SAML Remote Auth. Server and SCIM Remote User Sync Rules to populate the FortiAuthenticator with user and group information, but it is also possible to use LDAP, for example.

 

Although the group and RADIUS value have the same name, these values do not need to match, but it is done here for consistency.

 

Under Authentication -> RADIUS Service -> Policies, select a policy, and select Edit. Under Identity Sources, enable Filter, select the Pencil, and move the appropriate groups from Available User Groups to Chosen User Groups.

 

identitysourcesgroups.PNG

 

Connect the endpoint device to the wired or wireless network and log on with a user in one of the selected groups.

 

tcpdumpuser.PNG

tcpdumpuser2.PNG

 

Note: This example uses EAP-TLS with user certificates to authenticate the user, but it is also possible to use PEAP-MSCHAPv2 with Active Directory user accounts.

 

FortiNAC-F:

 

Under System -> Groups, ensure that the RADIUS Dynamic User Group is created.

 

radiusdynamicgroups.PNG

Under Policy & Objects -> User/Host Profiles, select a profile, and select Edit. Under Groups, select Any Of, select the plus (+) icon, and select the RADIUS Dynamic User Group.

profiledynamicgroup.PNG

 

Note: A Network Access Policy, Network Access Configuration, Logical Network and Model Configuration must be configured.

 

Log off and log back on with the same user.

 

tcpdumpuser.PNG

 

tcpdumpuser2.PNG

 

Under Users & Hosts -> Hosts, locate the endpoint device and verify the Logged On User column is populated.

 

hostdetails.PNG

 

Note: This example does not use LDAP integration; however, the Logged On User column is populated from the RADIUS User-Name attribute.

 

Right-click the endpoint device and select Policy Details to verify that the Profile Name, Policy Name, Configuration Name and Access Value. 

 

policydetails.PNG

 

Log off the endpoint device and log on with another user in one of the other selected groups.

 

tcpdumpuser3.PNG

 

tcpdumpuser4.PNG

Under Users & Hosts -> Hosts, locate the endpoint device and verify that the Logged On User column is updated.

 

hostdetails2.PNG

 

Right-click the endpoint device and select Policy Details to verify the Profile Name, Policy Name, Configuration Name and Access Value.

 

policydetails2.PNG

 

Note: RADIUS Dynamic User Groups are created and memberships updated when the user authenticates; therefore, if group membership changes, a log off and log on is required to apply to the appropriate Network Access Policy.

 

144
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.