Try this on the commandline:

 diag debug enable
 
 diag debug appl authd -1
 

see what happens when you try to login. To reset debug:

 diag debug disable
 diag debug reset
 

If you can' t seem to find the problem try posting the output of:

 show user ldap
 
 show user group
 

Hello Matthijs, Thank you for your suggestions. Sorry to be so delayed with a response. So many fires and only one extinguisher. I get no output from the debug/authd environment. Just this message about every 10 seconds: ' message_loop: checking timeouts' while debug is active. I' ve duplicated this VPN config on a different FG200B cluster that is running v4.0,build0291,100824 (MR2 Patch 2); so I' m thinking that I' ve got something wrong with my config; just can' t seem to find it. I' ve tried both route-based and policy-based f/w policy methods. Just to emphasize: the FG is supposed to be able to lateral the FortiClient user' s userid/password to LDAP (AD) for validation? Here is the output from the show commands: FG200B-1 (RA-VPN) # show user ldap config user ldap edit " LDAPSvr1" set server " xxx.xxx.xx.x" set cnid ' ' set dn " OU=grp,DC=xx,DC=xx,DC=xxxxx,DC=com" set type regular set username " domain\\userid" set password ENC encrypted password for above user set filter ' ' next end FG200B-1 (RA-VPN) # show user group config user group edit " FSAE_Guest_Users" set group-type directory-service next edit " CRL500 via LDAP Config" set member " CRL500" " gbolger" next end Thanks again for your thoughts

Thanks for input. What does " samaccountname" refer to? I have seen the CNID/CN field described to be used for the user/security group where your VPN users are located, to leave blank, as well as just the literal value ' cn' . I currently have the username configured in the form of cn=userid,cn=users,DC=xx.... I just got feedback from FN TAC to issue the ' diag test auth ldap <server_name> <username> <password>. Do you happen to know the recommended form for the username? I have tried straight username, domain\username, and username@my.domain.name.com. No matter what format I use the command returns ' authenticate <username> against <server name> failed!' Thanks

Greetings. Not sure if this is exactly relevant, but.... This help page indicates that " Note: A user group cannot be a dialup group if any member is authenticated using a RADIUS or LDAP server." My ldap authentication works just fine with PPTP (Bob' s post herein about LDAP is spot on), but it would not work with a dialup IpSec definition in my Fortigate 60b running,as you are, under the latest MR3. http://help.fortinet.com/fos40hlp/43/wwhelp/wwhimpl/js/html/wwhelp.htm?context=fgt&topic=usergrp&single=true

Thanks to all who contributed. I' ' ll post more details later, but after an hour-long Web-Ex session with FN TAC, it' s working now. Summary: 1) used ' sAMAccountName' in User/Remote/LDAP CN Identifier field. 2) DN field was coded to the root of our AD domain-this was not clear to me earlier (starting at the top), User/User Group entry using three (remote server) DCs configured with the specific AD group where our VPN users must exist to use the IPsec VPN from the FortiGate.