I see that you removed the RADIUS server IP but also shared the full hex output of the sniffer and after converting that to a PCAP, I can see your server IP ending 241. The sniffer shows a login for username n****jar and the RADIUS server replied with access_accept and AVP Fortinet-Access-Profile = prof_admin.
The GUI debug made the output unnecesarily noisy. Auth debug shows that the username "User" (I assume that this was replaced) was authenticated successfully with access-accept and admin profile = prof_admin. prof_admin is not a default admin profile in FMG/FAZ OS, I can only assume that you configured it. It looks like there is also a timeout for the same user "User" and then one more access-accept.
Here is a successful authentication from the auth debug: s139: test request: user=User s139: start radius: test-radius test-radius: send to server 0: Radius IP ip=Radius IP port=1812 id=15 type=pap test-radius: got reply: code=accept(2) id=15 test-radius: 0-1: User test-radius: 0-25: CACS:ac1c4e01r5vaftZnJN/2Vw6_MYFK2ZmlDjoHJ6HuSZB8MqZduas:CUHPTOLISE01/438793807/4107 test-radius: ftnt-profile: prof_admin test-radius: success s139: auth result: success
The RADIUS administrator is likley configured as a wildcard admin since you're sending back the AVP for admin profile. To us this, ext-auth-accprofile-override should be enabled on the administrator configuration. ext-auth-adom-override and ext-auth-group-match should not be enabled as these attributes are not being sent back from the server.
Maybe this should have been addressed in a TAC ticket. We would also want to check your FAZ admin and admin profile configuration - it might have been better to share that only with TAC rather than our public facing community site. At least your RADIUS server secret and user password are not visible in plain text.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.