Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor III

Authentication: inability to distinguish groups on RADIUS server.

We are using RADIUS authentication with 2 different user groups set on the server. Firewall groups configured on FortiGate side are set to use the very same RADIUS server but different groups on that server. Fortinet RADIUS VSAs are imported to IAS, so when responding to authentication request for a user, RADIUS server correctly specifies the group name a user belongs to. The problem is that while authenticating a user, firewall disregards a group name reported by RADIUS server back to firewall and only looks for whether it was " successful" or " failed" . As a result users are succefully authenticated regardless of any group they are member of on firewall if those groups are set to use the very same RADIUS server (as long as they provide correct logon credentials, of course). Environment specs: Firewall - FG-310B, FortiOS 4.3.3 RADIUS - IAS on Windows 2003 R2 Server. Both RADIUS groups are configured to support WiFi networking: The first one for CAPTIVE Portal Authentication. The second one for WPA2-Enterprise. Is there any way to configure firewall to accept or reject user connections depending on RADIUS groups membership? Thank you for any help. VA
New Contributor

Hi, I have spent some time about this issue and as a result i have noticed exactly the same behaviour as you described here. (fgt 310b, win 2008 nps). I simply was not able to force somehow the fortigate to deal with the radius attributes ( VSA and other like Class etc) and to distuingish 2 groups of wireless users and apply different set of firewall policies... Did you succed finally succeed in this? I would still like to set this function up but i dont have a clue how to continue or what else to check and so... :(
Valued Contributor III

See if the attached helps you at all.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at:

New Contributor

let me know if i am understanding this correctly. It is not auth to the correct windows group? Or when auth happens the user does not use the correct user group on the firewall?