When a user group is configured in FortiOS to authenticate against a RADIUS server, it will allow any valid user account on the RADIUS server to match that user group. Sometimes you might want to specify which users on the RADIUS server should match a particular user group on the FortiGate. This can be accomplished using the RADIUS attribute value pair (AVP) 26, known as a Vendor-Specific Attribute (VSA). This attribute allows the Fortinet-Group-Name VSA to be included in the RADIUS response. In FortiOS, the user group must be configured to specifically match this group.
In the following example, a RADIUS Network Policy Server (NPS) has been configured to have the Fortinet-Group-Name be IT, and assumes that the user group, RADIUS_IT has been created, which authenticates to the RADIUS_NPS server.
- Go to User & Authentication > User Groups and edit the RADIUS_IT group.
- In the Remote Groups table, select the RADIUS_NPS server and click Edit. The Add Group Match pane opens.
- For Groups, select Specify and enter the group name configured on the RADIUS server (IT).
- Click OK.
- Click OK.
config user group edit "RADIUS_IT" set member "RADIUS_NPS" config match edit 1 set server-name "RADIUS_NPS" set group-name "IT" next end next end
To change the matching back to any group, under