Re: SSLVPN User not able to authenticate
If log message is from FortiAuthenticator (FAC) as it seems to me, then it speaks about FAC.
If you do have users from LDAP, then how you gave them to FortiGate (FGT)? Via RADIUS ?
If RADIUS is between FGT and FAC (usual setup), then FAC has LDAP as backend.
And if LDAP is backend then how it's connected to RADIUS Clients setup on FAC ?
If it's pure 'realm' used in FAC > Authentication > RADIUS Service > and clients config , simply pointing to LDAP, then how you have tokens bonded ?
As you spoke about tokens then I guess you synced/imported users from LDAP to FAC, equipped them with tokens, or set to use email token. So you should have those users grouped on FAC user group. Then RADIUS Client with LDAP realm have to have the group filter enabled and this group used.
This way will FAC read data about synced users from FAC, based on group membership and state of user on FAC (and users are usually synced via Remote User Sync Rules as Remote Users).
This way will FAC check known users, and not just proxy auth requests from RADIUS to LDAP.
More details on where, in which phase auth fail would make a situation a bit more clear.
Tom xSilver, planet Earth, over and out!