Radius remote user groups
I'm trying to create firewall rules based off Radius groups. The end goal is to firewall VPN traffic, certain user groups are allowed to internal resources, and other user groups are only allowed to the internet, etc.
The problem I'm having is understanding how to match the remote group name on my RADIUS server (Windows NPS). As I understand it, in Users & Authentication > User Groups > Remote Groups, my Remote Radius server works currently and user authentication works, but when I enter a "Group Name" that matches that of a group of Windows AD, authentication fails.
When I pcap on Windows server, it generates an "access-accept" still, so I think the fortigate is comparing "group-name" strings inside of an AVP and is failing when it receives the access-accept.
If anyone has advice, a known tutorial, written documentation, or another method for accomplishing the same goal, I would much appreciate it.