I have a setup very similar to yours. 500E HA pair on the edge terminating Forticlient SSL VPN connections. The FAC is the RADIUS server. The FAC uses remote LDAP to poll AD to authenticate users.
Unfortunately I can't speak for your issue regarding the IPSec FC Client connecting without being prompted for Token code BUT for your other issue, this can be remedied by enabling your FAC to join the Windows AD domain. This is done under Authentication/Remote Auth. Servers/LDAP. The section in the middle, 'Windows Active Directory Authentication' needs to be enabled with the proper domain info for you.
You can then verify you are connected via Monitor/Authentication/Windows AD. The important field is 'Connection:'
It should read 'joined domain, connected'. From what I was told, MS CHAP and MS CHAP v2 will only work if the device/Server is on the active directory domain.
(If its not connecting you will also see TONS of messages in the logs saying failed to join Windows domain.) Hope this helps!
Windows Active Directory Server #1Server name:SLCDCPrimary IP Address:10.1.2.20Secondary IP addressNoneAuthentication Realm:C3connect.lanAgent:running [Reset]
Connection:joined domain, connectedUpdated:17 seconds ago