Not completely clear what you have set, no CLI snippets or config attached or any debug outputs her. And especially last sentence is misleading me a bit.
However some years ago I have posted this KB to clarify how the RADIUS Group Match (as it is usually referenced as) works on FortiOS.
KEY part is the RADIUS server configuration as FortiGate's config of 'set group-name' ...
Like in example:
# config user group edit "GROUP_RAD" set member "RAD" config match edit 1 set server-name "RAD" set group-name "GRP-one" next end next end
.. HAVE TO match to what RADIUS server sends as AVP 'Fortinet-Group-Name' in Access-Accept.
That is critical and the only linking point between what's on server and what's on FortiGate.
FortiAnswers is the space dedicated to FortiSASE and FortiOS questions and suggestions.
2 People are following this question.