Finally got back to re-visiting this.
Current state
User auths against a windows radius server and that is passed to the outside via a fortigate firewall. Problem is that the fortigate is not seeing any of the usernames so is just placing it into the guest role.
The fortigate is setup in the AAA profile and I believe all is fine on the windows and firewall side, but obviously something is missing.
Anyone setup this up before and got any ideas on areas to check.