DescriptionRestricting VPN access with two-factor and LDAP authentication.
Solution1. Configure FortiGate to LDAP link.
2. Create a 'local' user.
> Create user with same display name as used for LDAP account.
3. Assign a FortiToken to the local user.
> Add the LDAP Server from the drop down list.
> Add an email address if using a Mobile Token. (Needs messenger server setup on FortiGate) (Not available on FortiOS 5.2)
> Enable Two-factor Athentication
> Select Token
> Add user to local Group
4. Create a User Group.
> Add users that have FortiTokens assigned.
> DO NOT add a 'Remote Group' the the user group.
5. Add the 'Remote Access' group to the ssl vpn inbound Policy.
FortiOS 5.2.X
> Create new Firewall Policy
> Under 'Source User(s)', add Add 'RemoteAccess_LDAP_and_Token' group.
> Move firewall Policy to top of list.
FortiOS 5.0.X
> Create a 'User Identity' firewall Policy.
> Add check mark to 'Skip this policy for unauthenticated user'.
> Click 'Create New' under 'Configure Authentication Rules'
> Add the RemoteAccess_LDAP_and_Token local group.
> Do not add any Security Profiles.
> Save Policy.
> Move firewall Policy to top of list.