So you have two [radius_server_auto]
config sections in your authproxy.cfg
file, one listening on port 1812 and the other on 1813? Can you verify that the different user groups on the Fortigate are using the right Duo RADIUS lisnener by looking in the Duo Authentication proxy logs? So, when you connect to the Fortigate as Duo_SSL_VPN2 the Duo log shows incoming authentication traffic on port 1812, and when you connect as Duo_SSL_VPN the traffic goes to the Duo proxy on 1812?
If so, then you might have better luck asking Fortinet why the SSL VPN IP range assignments aren’t following the group mappings for SSL VPN.
Would you mind sharing instructions for how you configured this, particularly mapping a specific IP range to a group? I see where I can add more address ranges in the “Tunnel Mode Client Settings” section on the SSL VPN settings page, but there isn’t anywhere to specify any logic associating a given range to a group on the SSL VPN settings page.