The only thing I can see that could be an issue is that the one that isn't working seems to have a spurious @ before the class is declared. If that is the issue, I've no idea where it's coming from. The user group config is as follows:
(visiting_users) # get
name : visiting_users
group-type : rsso
authtimeout : 0
sso-attribute-value : visiting_users
Network diagram would be fine.
Basically said reply to RADIUS Accounting packet is not mandatory. FortiGate can be set to do reply.
If sniffer seems incomplete, attach sniffer as text or pcap next time.
"I have it working on one network interface, but I can't get it to work from another" .. config interface and allowaccess radius-acct missing ?
Regarding the Class and "@" .. I'm not sure.
First, keep in mind that whole RSSO is a full string comparison between content in sso-attribute AVP from received Accounting packet and rsso-type group sso-attribute-value string. If those two match then user rsso-endpoint-attribute is considered a member of that group.
Second, mentioned @ seems to be transcript of hex data (40) which in place like "0x0060 400b 1910 7669 7369 7469 6e67 5f75 7365 @...visiting_use" seems to be second last octet of Framed-IP-Address 172.16.64.11 .. in this case x40 = d64 = @ (see Alt.codes table for example). For details check packet bytes in Wireshark or see my first packet transcript attached.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.