We are using RADIUS authentication with 2 different user groups set on the server. Firewall groups configured on FortiGate side are set to use the very same RADIUS server but different groups on that server. Fortinet RADIUS VSAs are imported to IAS, so when responding to authentication request for a user, RADIUS server correctly specifies the group name a user belongs to.
The problem is that while authenticating a user, firewall disregards a group name reported by RADIUS server back to firewall and only looks for whether it was " successful" or " failed" . As a result users are succefully authenticated regardless of any group they are member of on firewall if those groups are set to use the very same RADIUS server (as long as they provide correct logon credentials, of course).
Environment specs:
Firewall - FG-310B, FortiOS 4.3.3
RADIUS - IAS on Windows 2003 R2 Server.
Both RADIUS groups are configured to support WiFi networking:
The first one for CAPTIVE Portal Authentication.
The second one for WPA2-Enterprise.
Is there any way to configure firewall to accept or reject user connections depending on RADIUS groups membership?
Thank you for any help.
VA