not sure how this relates to user authentication, but ...
- those AVPs (and I assume the mentioned strings are RADIUS AVPs) - WISPr-Bandwidth-Max* and Mikrotik-Rate-Limit .. those are usually vendor specific, so do not xpect Mikrotik* working on Forti*
- how about to combine user authentication with traffic shaping ? (as I guess you want to make it per some user group otherwise why to write about user logon)
- traffic shaping is described in docs.fortinet.com .. how about that https://docs.fortinet.com/uploaded/files/3623/fortigate-traffic-shaping-56.pdf
- as user group membership is part of policy match, then how about per policy shaping page 18
- alternatively. assign users specific IP range and then you can do per-IP shaping
... whatever design suits your needs.
Tom xSilver, planet Earth, over and out!