Process Flow:

1. FortiClient presents the user certificate to FortiGate.
2. FortiGate reads the Subject Alternative Name and performs an LDAP searchRequest for the user.
3. If the LDAP replies with an entry, FortiGate checks if the entry is the same as the username provided by FortiClient.
4. FortiGate performs an LDAP bindRequest for the given user.

Configuration:

FortiClient configuration:

Enable EAP.

Authentication Method X.509 Certificate.

Client Certificate example:

FortiGate configuration:

First, an LDAP object pointing to the Active Directory needs to be configured:

config user ldap
    edit "DC"

        set account-key-cert-field othername
        set server "dc.homelab.local"
        set cnid "sAMAccountName"
        set dn "dc=homelab,dc=local"
        set type regular
        set username "HOMELAB\\Administrator"
        set password ENC MTAwND/6lPb0SpIjm74sPzMp5U6cw5pmg6t/xMYfvy35UJla/DqmXuonwCdcZk/c2/        xQX+HsYNUogSvN3NFOnG2CPxmWipItA0yCyNsinUeLCIjSNeNY1puAOQVIqAW1

vaEwUdVpjBhwgnwBgT/+H3iuZyHQifgM1HgWT/j9Ods8cWUxiv2OdioMHkQNwV4lojAYtFlmMjY3dkVA
    next

And a CA certificate from Active Directory imported as a remote CA. This CA certificate is used to create a peer user:

config user peer

    edit "IKEv2_peer"
        set ca "AD_CA"
        set mfa-mode subject-identity
        set mfa-server "DC"
    next

end

With this peer setting, FortiGate will make an LDAP searchRequest for the userPricipalName of the certificate. If the LDAP server does not reply with an entry, the authentication fails. The password itself is not validated here.

A Certificate Signing Request(CSR) for the FortiGate public IP or URL, which is then going to be signed by the Microsoft CA server,

is a good idea. A Let's Encrypt certificate or any other certificate signed by a third-party CA can be used; the only limitation is

that it needs to protect the FortiGate public IP or URL

Lastly, this is what the IPsec phase1 configuration should look like:

config vpn ipsec phase1-interface
    edit "IPsec-tun"
        set type dynamic
        set interface "port1"
        set ike-version 2
        set authmethod signature
        set net-device disable
        set mode-cfg enable
        set proposal aes128-sha256 aes256-sha256
        set dhgrp 20
        set eap enable
        set eap-identity send-request
        set eap-cert-auth enable
        set cert-peer-username-validation othername
        set cert-peer-username-strip enable
        set certificate "IPsec_cert"
        set peer "IKEv2_peer"
        set ipv4-start-ip 10.33.21.1
        set ipv4-end-ip 10.33.21.12
        set dns-mode auto
        set ipv4-split-include "Internal_address"
    next
end

Important: eap-cert-auth is needed in order for FortiGate to send the EAP challenge after certificate verification. This is a FortiNet proprietary implementation. It works only with FortiClient.

Note: cert-peer-username-validation othername is needed to cross validate the certificate UserPricipalName with the provided username. cert-peer-username-strip when enabled allows for the username to be provided without the UserPricipalName or sAMAccountName syntax (Like this 'User', not like this 'User@homelab.local').

Related documents:

LDAP-integrated certificate authentication:

Using the SAN field for LDAP-integrated certificate authentication

EAP and certificate authentication:

IPsec IKEv2 VPN 2FA with EAP and certificate authentication

Cross-validation:

Cross-validation for IPsec VPN