We are trying to setup the RSSO with our cisco wlc.

We are sending the radius accounting traffic to the fortigate.

We are seeing the user_names in the  logs but the groups are not showing.

Our users connect to the cisco WLC and are auth with the cisco ACS.

I have configured the ACS to send the WLC the correct class attribute, however we hare seeing two class attributes come from the WLC.

61,07:45:16,"10.80.0.254""*****blanked out username****","allow","no log","wifi-staff+CACS:ACS1/311035611/31113113",1,No

ACS1 is the name of our Cisco ACS radius server.

I have also tried sending the accounting traffic from our WLC to NPS and then to the Fortigate.

Same issue.

Is it possible to use a wildcard in the sso-attribute-value?

config user radius edit "RSSO Agent" set rsso enable set rsso-radius-response enable set rsso-validate-request-secret enable set rsso-secret ENC  set rsso-endpoint-attribute User-Name next end

edit "RSSO-Wifi-Students" set group-type rsso set sso-attribute-value "wifi-students" next edit "RSSO-Wifi-Staff" set group-type rsso set sso-attribute-value "wifi-staff*" next edit "RSSO-Wifi-PHS-Students" set group-type rsso set sso-attribute-value "wifi-phs-students" next