Does anyone have experience with authenticating both a user account AND a computer to Fortigate' s VPN (either IPsec or SSL)? I know there' s the " require client certificate" of the SSL VPN side but it' s tricky at best, especially if you' re trying to mix trusted and non-trusted devices. Plus, user certificates are still very portable thus negating potential benefits. My ultimate goal is to determine if a computer is a member of a trusted Active Directory domain. If it is AND the user authenticates successfully then grant access to Resources_A. However, if the user authenticates using an unknown/non-trusted device (like home computer) then allow access to only a tiny subnet of resources (Resources_B). Right now, my best idea is to creatively use the " host checking" feature of the SSL vpn and " look" for things that only my trusted computers would have. It' s not infallible but would be enough to stop all but the most determined folks. I' ve seen wireless systems implemented with 802.1x using AD computer (not user) credentials via PEAP-EAP-MS-CHAPv2 and a private CA. The end result is that computers authenticate to the network and not the user account. In fact, the user account doesn' t have permission to login via 802.1x. Ultimately, I' m hoping Fortinet will introduce a feature to authenticate a computer along with user credentials. This could be transparent Active Directory machine account password checking or perhaps an " enrollment" process that all devices must go through (and this would have the added advantage of being able to " trust" some special non-domain joined systems). (I know, this isn' t the place for feature requests but if somebody likes these ideas then don' t hesitate to pass them along!) Thoughts, anyone?