There' s another way of doing it. Seting up radius authentication is much more easy. Every MS server can act as a radius server. If you setup a vpn policy doing radius all you have to do is change the password. Of course you can enhance the security level with a vasco token or rsa or whatever. But that' s in essence besides the point. But if you want to prevent that anything happens in case your laptop is stolen, I suggest you click on the link in my footer. Cheers, Eric

Furthermore there is an excellent guide to setup radius with a fortigate. I' ll attach it. It' s a contribution from another member. ---------------------------------------------------------- After some sleepless nights I finally managed to authenticate VPN users with RADIUS and XAuth. I tried to merge all the widespread information into one posting. Requirements/assumptions: Windows Server 2003, Standard Edition Fortigate-60 2.80, MR7, build318, 041206 FortiClient 1.2.172 Windows 2003 Server: Install the Internet Authentication Service (IAS); it will act as our RADIUS server - see http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/sag_ias_install.asp Note: I had to reboot the server after installing IAS Register the IAS in Active Directory - see http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/sag_ias_add_activedir.asp Open the IAS and create a new RADIUS-Client - Address: <IP address of FortiGate unit> - Client-Vendor: RADIUS Standard - Do not enable " Message Authenticator" - Shared Key: <FG60 supports a maximum of 15 characters> Create a remote access policy - Contraints: for the first connection attempt you may add only the IP of the FortiGate as " Client-IP-Address" - Profile: edit the profile and enable PAP authentication - see http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/sag_nap_node2.asp Go to your user accounts - Check if your users are able to dial-in - In my case, the dial-in access is controlled by RAS policy - You don' t have to enable " reversible encryption" , because we will use PAP not CHAP Note: You may have to switch your domain from mixed to native mode to enable RAS policies More infos on IAS: http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/sag_ias_howto_top.asp http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/sag_ias_checklist_corp.asp http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/sag_IAStopnode.asp FortiGate: Login via SSH to the CLI Enter the following commands: config user radius edit " MyRADIUS" set secret SecretKey set server " IP address of radius server" next end Note: the secret must match the shared key on the IAS and is limited to 15 characters Note: You can also enter the configuration via the web interface. Goto " User -> RADIUS" and create a new entry. Test from the FortiGate: You should now be able to successfully authenticate against the RADIUS server Enter the following CLI command to test the authentication: diagnose test authserver radius MyRADIUS pap ' windowsuser' ' password' Note: " MyRADIUS" is the name of our radius server defined above Note: You don' t have to quote the username and the password Example: If your windows username is jack and the password is test123, the diagnose command would look like: diagnose test authserver radius MyRADIUS pap jack test123 And the response should be: authenticate ' jack' against ' pap' succeeded! Check the event log of the windows server for IAS entries (under " System" ) - http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/sag_ias_logproc1.asp Test from a client: You should also be able to test the authentication from another client You can use the NTRadPing 1.5 RADIUS Test Utility - Get it from http://www.novell.com/coolsolutions/tools/1932.html Note: Don' t forget to to add a new RADIUS client in your IAS configuration with the IP address of your client Check the event log of the windows server for IAS entries (under " System" ) - http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/sag_ias_logproc1.asp If you get any errors: The event log entries are usually very detailed If you get error code 16 - check the shared key - check the windows password for typos If you get error code 65 - check your RAS policy - check if the correct RAS policy is applied - check if dial-in access is enabled for the user You can also enable " tracing" on the RADIUS server - http://www.microsoft.com/technet/security/topics/cryptographyetc/secmod192.mspx Back to the FortiGate: If authentication is successfull, we can configure the VPN tunnel Configure a user group config user group edit " ugDialupUsers" set member " MyRADIUS" set profile " strict" set types-in-group 1 next end Note: We make the RADIUS server the only member of the group, so the whole remote access is controlled by the RAS policy on the RADIUS/IAS Server Now we need a Phase1 policy which XAuth enabled config vpn ipsec phase1 edit " gwDialupUsers" set dpd enable set nattraversal enable set proposal aes192-sha1 set type dynamic set xauthtype pap set authusrgrp " ugDialupUsers" set psksecret SharedSecret next end Note: You also need to define a Phase2 tunnel and a firewall policy Note: You can of course also enter the configuration via the web interface (goto " VPN -> IPSEC" ) FortiClient: Configure the appropriate connection Don' t forget to enable " eXtended Authentication" (under " Advanced" ) Test the connection Debug: If you still have problems you can enable the debug mode Login to the FortiGate via SSH and enter diagnose debug enable diagnose debug console timestamp enable diagnose debug app ike 2 Test the FortiClient connection Carefully watch the output on the FortiGate console - see http://kc.forticare.com/default.asp?id=115&Lang=1 Security: Why PAP - see http://www.freeradius.org/faq/ The communication between the FortiGate and the RADIUS Server is secured by the shared secret - see http://www.freeradius.org/rfc/rfc2865.html The communication between the FortiClient and the FortiGate is secured by the VPN connection - see http://kc.forticare.com/default.asp?id=115&Lang=1

You have to config the client for X-auth.

Okay - so I configure the client to use X-Auth (or user authentication). But how do I force the Fortigate 100A to only accept VPN connections if the user provides a valid username and password? Or is that implied if I turn on the radius or use the local user list?