I can't really speak about Duo side, I have no experience with that, but you could leverage FortiAuthenticator and SSLVPN realms.
-> You can set up FortiAuthenticator to apply different RADIUS policies based on the NAS IP identifier FortiGate can send
-> you can use SSLVPN realms on FortiGate to force particular URLs (and portals and groups) for users
You could also do a setup something like this:
- use a FortiAuthenticator (or different RADIUS server) with one authentication policy
-> make sure that when users authenticate, the Access-Accept contains a 'Fortinet-Group-Name' attribute based on AD group membership
- you can map that Fortinet-Group-Name to multiple user groups on FortiGate
- you can set up SSLVPN authentication rules to link specific groups to specific portals
- you can apply firewall policies on this group basis to allow access to specific VLANs only
As long as the RADIUS server can send back Fortinet-Group-Name attribute based on AD group membership to FortiGate, FortiGate can separate users into groups automatically and apply SSLVPN portals and policies based on that group membership.
+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++