In FortiNAC-F, theRADIUS Attribute Groupsfeature allows administrators to return customized RADIUS attributes (such as specific VLAN IDs, filter IDs, or vendor-specific attributes) in anAccess-Acceptpacket sent back to a network device. This is particularly useful for supporting "Generic RADIUS" devices that are not natively supported but can be managed using standard AVPairs.

According to theFortiNAC-F Generic RADIUS Wired Cookbookand theRADIUS Attribute Groups sectionof the Administration Guide, there is one critical prerequisite for this feature to function: theinbound RADIUS request must contain the Calling-Station-ID attribute. The Calling-Station-ID typically contains theMAC addressof the connecting endpoint. Because FortiNAC-F is a host-centric system, it uses the MAC address as the unique identifier to look up the host record, evaluate the associated Network Access Policy, and determine which Logical Network (and thus which Attribute Group) should be applied. If the incoming request lacks this attribute, FortiNAC-F cannot reliably identify the host and, as a safety mechanism, willnot include any user-defined RADIUS attributesin the response. This ensures that unauthorized or unidentifiable devices do not receive privileged access through misapplied attributes.

"Configure a set of attributes that must be included in the RADIUS Access-Accept packet returned by FortiNAC...Requirement: Inbound RADIUS request must contain Calling-Station-Id. Otherwise, FortiNAC will not include the RADIUS attributes.This attribute is used to identify the host and its current state within the FortiNAC database." —FortiNAC-F 7.6.0 Generic RADIUS Wired Cookbook: Configure RADIUS Attribute Groups.