FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 190447
Restricting VPN access with two-factor and LDAP authentication.
1. Configure FortiGate to LDAP link.

2.  Create a 'local' user.
> Create user with same display name as used for LDAP account.

3. Assign a FortiToken to the local user.  
> Add the LDAP Server from the drop down list.
> Add an email address if using a Mobile Token.  (Needs messenger server setup on FortiGate) (Not available on FortiOS 5.2)
> Enable Two-factor Athentication
> Select Token
> Add user to local Group

4.  Create a User Group.  
> Add users that have FortiTokens assigned.
> DO NOT add a 'Remote Group' the the user group.

5. Add the 'Remote Access' group to the ssl vpn inbound Policy.

FortiOS 5.2.X
> Create new Firewall Policy
> Under 'Source User(s)', add Add 'RemoteAccess_LDAP_and_Token' group.
> Move firewall Policy to top of list.

FortiOS 5.0.X
> Create a 'User Identity' firewall Policy.
> Add check mark to 'Skip this policy for unauthenticated user'.

> Click 'Create New' under 'Configure Authentication Rules'
> Add the RemoteAccess_LDAP_and_Token local group.
> Do not add any Security Profiles.
> Save Policy.
> Move firewall Policy to top of list.