Refer to the following configuration on the FortiSwitch port:

edit "port5"

    set native-vlan 3

    set security-groups "MAB"

        config port-security

            set port-security-mode 802.1X-mac-based

end

config user group

    edit "MAB"

        set member "RADIUS_Server"

            config match

                edit 1

                    set server-name "RADIUS_Server"

                    set group-name "MAB"

end

config user radius

    edit "RADIUS_Server"

        set nas-ip x.x.x.x

        set server y.y.y.y

end

Run the following application debug on the FortiSwitch and connect the client to the switchport:

diagnose debug application fnbamd -1
diagnose debug console timestamp enable
diagnose debug enable

Even if RADIUS is successful but group matching fails, the client will fail authorization:

2025-06-24 15:03:04 fnbamd_radius.c[2289] fnbamd_radius_auth_validate_pkt-RADIUS resp code ACCESS_ACCEPT

2025-06-24 15:03:04 fnbamd_auth.c[2466] fnbamd_auth_handle_radius_result-->Result for radius svr 10.162.10.5(0) is FNBAM_SUCCESS

2025-06-24 15:03:04 fnbamd_auth.c[2479] fnbamd_auth_handle_radius_result-Failed group matching

2025-06-24 15:03:04 fnbamd_comm.c[212] fnbamd_comm_send_result-Sending result FNBAM_DENIED for req 65405137 len 0 class 57:57 filter 0:0

This signifies that the 'vendor-specific attribute AVP type 26 type vsa' is not configured on the RADIUS server.

Related articles:

Troubleshooting Tip: Configure and troubleshoot 802.1x authentication on a Managed FortiSwitch

Appendix B: Supported attributes for RADIUS CoA and RSSO - FortiSwitch administration guide

Port security - FortiSwitch 7.6.2 administration guide