Seen similar posts in the forums but not my exact scenario - apologies for the long thread post.

We're trying to get this setup for the first time so that VPN Clients (IPSEC) and Admins can BOTH use tokens against FAC... Having

issues though with LDAP users imported into FAC - We imported to groups (VPN users and Admin users) and was able to successfully get administrator authentication using tokens from FAC working to login to Fortigate administration. The problem is that the "VPN users" group could also login as admins (as in we could not separate the two).

When trying to get Forticlient token based and using LDAP users we see in the logs errors about CHAP not being supported and I've read some posts that detail this a little better. I think I have a decent understanding of that... We are ultimately wondering what is best method to import users from AD, assign tokens to them, and have different access levels depending on job function (admins vs VPN users) - RADIUS?

I found a couple of cookbook articles but nothing definitive so any input is appreciated before I contact support.

Note that I did setup a local user on FAC and gave it a token and when FortiClient connects to Fortigate I get prompted for token , input token, but it ultimately fails but the The FAC shows an event that "Authentication with token successful"... The client does not connect and asks for token again... this thing seems very complex so general and more specific advice would be greatly appreciated.

Thanks in advance - I will gladly post back what support says once my entitlement is in place but in the meantime any input is appreciated.. Hopefully this can be a thread that others can use moving forward.

dt