Can we autneticate users with smartcard through Fortigate

Yes u can! Most SmartCard-Authentication is done via a secial radius server -> The Fortigate won' t see wheter it is a normal password or a PIN! Or do you mean by " smartcard" (some people call RSA Cards as smartcards as well!), cards with PKCS11 cert storage? In this case, the client would need to be able to handle that device!! I' m not sure if Forticlient already can handle this kind of device(like the sentinel did)! The FGT would then only handle the cert-based authentication -> this should actually work!

The one thing I can tell you, if you' re referring to RSA tokens, DONT USE FORTICLIENT! It works. But it' s not pretty. Especially when in " new pin mode" . And the Fortinet docs on this suck. We ended up implimenting a Cisco PIX just to do the VPN connections. Fortinet needs to come a long way with interoperability of it' s VPN client/server.

We use ActivCard secure tokens with the forticlient. It works great, no problems.

Hi jv, Do you need to apply any hacks to FortiClient to make the VPN go with ActivCard?

No hacks . Very straight . We use FG 800 2.8 MR 11 with radius (only share secret) to our activcard AAA server. Works nice. The ActivCArd server does a ldap lookup to our ActiveDirectory. Next week i will test ActivCard with a FG 60 A 3.0 MR 3 with our activcard server. We use Forticlient 2.0 and 1.2 in production. The first 3.0 vpn client didnt work , the latest worked with our production FG 800 2.8 mr 11.