FortiGate supports Radius Challenge, so we're going to take the advantage of that and implement a two-step logon procedure for a good user experience.
In the DualShield console, set the logon procedure for Fortigate VPN as below:
The 1st step is the Static Password, aka, AD password. The 2nd step we will allow users to authenticate with either One-Time Password or Out-of-Band push.
Now, launch FortiClient:
You'll be asked to enter your AD password.
Once you have entered your password, press "Connect" to continue.
On the 2nd step, you can either enter an one-time password or enter 1 to start the out-of-band authentication process.
If both your 1st and 2nd credentials are correctly verified, then you're granted access to Fortigate VPN.
