We have SSL VPN set up and working well with LDAP but I wanted to switch to RADIUS/NPS, particularly for the Azure MFA NPS plugin. The connection with RADIUS/NPS works, I just can't replicate LDAP's ability to easily pass all VPN Active Directory groups a user is a member of.

Let's say I have 4 groups to work with, each tied to IPv4 policies that allow access to different sets of servers over VPN:

VPN-FileShares

VPN-SQL

VPN-ERP

VPN-IT

With LDAP I could just create all of those groups on the FortiGate and point them to groups in my Active Directory which users are members of. A user logs in and the groups he's in is automatically picked up by the FortiGate. Super easy and straightforward.

With RADIUS I haven't figured out how to do the same. With what I know/have read, NPS requires I pick a group that is allowed access, then in that same policy, I need to pass back (as attribute 1) the group that I allowed through. I could even do multiple groups with multiple attributes. The problem is once it hits a particular policy, it doesn't process down to the next for other groups. For example, in RADIUS:

Processing Order 1: VPN-FileShares is allowed to authenticate, and pass back group "VPN-FileShares" to the FortiGate

Processing Order 2: VPN-SQL is allowed to authenticate, and pass back group "VPN-SQL" to the FortiGate

Processing Order 3: VPN-ERP is allowed to authenticate, and pass back group "VPN-ERP" to the FortiGate

Processing Order 4: VPN-IT is allowed to authenticate, and pass back group "VPN-IT" to the FortiGate

If a user is a member of all 4, only the first policy gets applied. I thought about making policy rules for each and every group combination and passing those back, but that seems incorrect/excessive.

Am I missing something easy? I read about auth-multi-group but documentation says it's enabled by default. Does it require additional configuration?