thanks for you reply.
That's exactly what I did, but unfortunately - it is not working. I am just wondering - do I have to have also AD-Group for those members? Or thats just NPS+Forti configuration, without touching AD and Groups?
I tried to do AD UG (group), put a member there,
then in NPS, just allow UG, and in vendor specified UG,
then Fortigate -> Radius Group -> Specify UG,
SSID authorization WiFi_UG (thats my Radius authorization specified to UG)
so yeah user ug123 should have access to UG_10 WiFi (because he is in UG group and NPS, it should work but it does not, that's why I am confused. I have a NPS policy just for domain users, and when I limit in Groups in Forti just to All (no specify group) it works, but it works in every SSID, and I would like to limit users->groups.