Description

This article describes how to troubleshoot and resolve an issue where user-based policy enforcement in FortiSASE fails to work as expected due to incorrect or missing RADIUS attribute mapping on FortiAuthenticator. It outlines the problem symptoms, root cause, and the necessary configuration steps to ensure proper group-based policy application through RADIUS integration.

Scope

FortiSASE, FortiAuthenticator.

Solution

Symptom:
The Radius group-based SIA policy does not match. The policy works when set to 'All Users', but fails when a specific user group is selected, as the policy does not correctly match the RADIUS group.

In FortiSASE, the user group is created with a specific group-name attribute.

After configuring a user-group-specific policy on FortiSASE, traffic fails to pass due to a policy mismatch.

Important:

Ensure the group name attribute is correctly defined on FortiAuthenticator to enable RADIUS group-based authentication

On the FortiAuthenticator, no RADIUS attribute was configured, resulting in the group attribute information not being sent to FortiSASE. As a result, the user group is not correctly matched.

Once the group name attribute has been set properly on the FortiAuthenticator, the user group policy will start matching properly.