This article describes the scenario where Radius authentication failed when Radius client IP coexists on both individual host objects and range/subnet.
Scope
FortiAuthenticator.
Solution
From Authentication > RADIUS Service > Clients.
There are 2 user objects created, a subnet 10.x.3.0/24 and a host IP 10.x.3.23.
From Radius policy, only subnet-based Radius users selected:
Authentication > RADIUS Service > Policies.
From packet capture, FortiAuthenticator will return Access-Reject even if the Radius client 10.x.3.23 falls within the subnet of 10.x.3.0/24:
For FortiAuthenticator, first, check the configured Radius user with the longest prefix match before finding the Radius policy.
Then, ensure the longest prefix match Radius client is added into Radius policy or remove the Radius client host if it is necessary to use subnet/range.