Three links I found useful.
Setting up the required RADIUS attributes in Microsoft NPS
Fortinet cookbook – SSLVPN with solely certificate auth
Fortinet forum post showing how to enable RADIUS + strict check cert upn matches user
PKI user
Allows certificate check (checks cert was issued from trusted CA only – not the CN / UPN.
config user peer edit "LDAP.certificate.check" set ca "CA_Cert_1" next end
VPN user group
Matches username/password presented against provided LDAP server.
config user group edit "G.VPN.Admins" set member "DCSRV.RADIUS" config match edit 1 set server-name "DCSRV.RADIUS" set group-name "CN=SSLVPN_Admins,OU=Groups,OU=Stuff,DC=Contoso,DC=Org" next end next end
RADIUS server
Checks for user/pass and 2FA
config user radius edit "DCSRV.RADIUS" set server "192.168.1.1" set secret ENC Oe9GhuqdXz5YtIzhfuL2DSnl4AVJDmSWRb0AnhahgZTZBIv1mn+ykT/8E0XcYIjX1EenDwOBdLOoYoIBuXsQhcT0yMwmnLlUOIaIbmHOmBxkqY60flbwazDiHwQLRh/vnHrNRuIN+lrIY3AcxKAjP6zPbZefM3etbxtoHBCvTNnA99TgSUgVjvJgt2k14l+y2bmVww== set auth-type ms_chap_v2 next end