Dear gfleming

I have to do that, unfortunately still doesn't work.

Fortigate cannot get the group from FortiAuthenticator.

I will try again, if you have another solution. It's very helpfull.

Best regards,

Heri

Just to confirm you have configured the SSID to use WPA2 Enterprise? And when you connect to wi-fi you are prompted for username and password before getting connected to the network? Do you see the authentications on the FortiAuthenticator?

Dear gfleming

Yes, of course.

Here is the process and configuration.

and this is the configuration of the wifi

and the fortigate cannot capture Fortinet-Group-Nama, that's why always appear the login form once the wifi is connected.

Best Regards.

Heri 

Good details, thank you! I notice there's a schedule in your FW Policy. I assume you've verified the schedule is not getting in the way? Are you definitely hitting that policy?

Also, can you do a test for me and try with a local FortiAUthenticator group instead of an LDAP group? See if the results are the same.

You can also try and debug the RADIUS messages received on the FortiGate to ensure the attribute is being sent properl: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Radius-authentication-troubleshooting/ta-p...

Dear Graham 

Here is the result of local user

Regards,

Heri

User group is reported as WINETLAN is that expected? I believe we are expecting WINETADMIN?

Can you run debug with integer 255 for full messaages? diagnose debug application fnbamd 255

Dear Graham

Here is the result

FG200E-LDAP-MASTER # diagnose debug application fnbamd 255
Debug messages will be on for 26 minutes.

FG200E-LDAP-MASTER # diagnose test authserver radius FortiAuth-RADIUS mschap2 heri-hw 12345678
[1906] handle_req-Rcvd auth req 135802484 for heri-hw in FortiAuth-RADIUS opt=0000001d prot=4
[466] __compose_group_list_from_req-Group 'FortiAuth-RADIUS', type 1
[616] fnbamd_pop3_start-heri-hw
[518] __fnbamd_cfg_get_radius_list_by_server-Loading RADIUS server 'FortiAuth-RADIUS'
[342] fnbamd_create_radius_socket-Opened radius socket 13
[342] fnbamd_create_radius_socket-Opened radius socket 14
[1394] fnbamd_radius_auth_send-Compose RADIUS request
[1351] fnbamd_rad_dns_cb-192.168.100.248->192.168.100.248
[1323] __fnbamd_rad_send-Sent radius req to server 'FortiAuth-RADIUS': fd=13, IP=192.168.100.248(192.168.100.248:1812) code=1 id=6 len=161 user="heri-hw" using MS-CHAPv2
[319] radius_server_auth-Timer of rad 'FortiAuth-RADIUS' is added
[633] create_auth_session-Total 1 server(s) to try
[2341] handle_req-Rcvd auth_cert req id=135802485, len=1567, opt=8
[974] __cert_auth_ctx_init-req_id=135802485, opt=8
[983] __cert_auth_ctx_init-OCSP resp is found.
[103] __cert_chg_st- 'Init'
[140] fnbamd_cert_load_certs_from_req-3 cert(s) in req.
[661] __cert_init-req_id=135802485
[710] __cert_build_chain-req_id=135802485
[257] fnbamd_chain_build-Chain discovery, opt 0x19, cur total 1
[273] fnbamd_chain_build-Following depth 0
[318] fnbamd_chain_build-Extend chain by builtin CA cache. (good)
[273] fnbamd_chain_build-Following depth 1
[318] fnbamd_chain_build-Extend chain by builtin CA cache. (good)
[273] fnbamd_chain_build-Following depth 2
[287] fnbamd_chain_build-Self-sign detected.
[99] __cert_chg_st- 'Init' -> 'Validation'
[831] __cert_verify-req_id=135802485
[832] __cert_verify-Chain is complete.
[406] fnbamd_builtin_cert_check-Following cert chain depth 0
[406] fnbamd_builtin_cert_check-Following cert chain depth 1
[427] fnbamd_builtin_cert_check-Builtin CRL found: 244b5494
[406] fnbamd_builtin_cert_check-Following cert chain depth 2
[442] fnbamd_builtin_cert_check-Certificate status is unchecked.
[867] __cert_verify_do_next-req_id=135802485
[99] __cert_chg_st- 'Validation' -> 'OCSP-Checking'
[889] __cert_ocsp_check-req_id=135802485
[335] fnbamd_verify_ocsp_response-Cert status: GOOD.
[251] __cert_ocsp_resp_verify-verify_ocsp_response returns 0 -1
[99] __cert_chg_st- 'OCSP-Checking' -> 'Done'
[912] __cert_done-req_id=135802485
[1652] fnbamd_auth_session_done-Session done, id=135802485
[957] __fnbamd_cert_auth_run-Exit, req_id=135802485
[1689] create_auth_cert_session-fnbamd_cert_auth_init returns 0, id=135802485
[1608] auth_cert_success-id=135802485
[1059] fnbamd_cert_auth_copy_cert_status-req_id=135802485
[1186] fnbamd_cert_auth_copy_cert_status-Cert st 210, req_id=135802485
[216] fnbamd_comm_send_result-Sending result 0 (nid 0) for req 135802485, len=2144
[1553] destroy_auth_cert_session-id=135802485
[1032] fnbamd_cert_auth_uninit-req_id=135802485
[1358] fnbamd_auth_handle_radius_result-Timer of rad 'FortiAuth-RADIUS' is deleted
[1802] fnbamd_radius_auth_validate_pkt-RADIUS resp code 2
[320] extract_success_vsas-FORTINET attr, type 1, val WINETADMIN
[1663] __radius_decode_mppe_key-Key len after decode 16

[1663] __radius_decode_mppe_key-Key len after decode 16

[1383] fnbamd_auth_handle_radius_result-->Result for radius svr 'FortiAuth-RADIUS' 192.168.100.248(1) is 0
[266] find_matched_usr_grps-Skipped group matching
[216] fnbamd_comm_send_result-Sending result 0 (nid 0) for req 135802484, len=2160
[789] destroy_auth_session-delete session 135802484
authenticate 'heri-hw' against 'mschap2' succeeded, server=primary assigned_rad_session_id=135802484 session_timeout=0 secs idle_timeout=0 secs!
Group membership(s) - WINETADMIN

OK so it looks like FAC is sending the attribute OK in this case. Are you testing with local group or LDAP group? If not LDAP can you test again with LDAP this time?