

To authenticate many different groups through radius for the SSL VPN you have to configure a vendor specific option.

You can also have that server allow users to change their password if it expires, or if you set the policy in AD to make the user change their password. Using Radius to authenticate can help remedy this issue because you can authenticate as many domains as you like behind 1 radius server. One awesome aspect of this is that by default, the max LDAP servers you can configure on a Fortigate is 10 – so if you have a lot of different domains – as I do with one client – you might be pushed to go to Fortiauthenticator for the ability to have more, or use dual factor. I’ve blogged on using the SSL VPN to renew passwords if they expire before using LDAPS, but I have not blogged on doing this through Radius authentication.
