I have a privacyIdea solution with freeradius up and running. So far I have 4 different ldap resolvers configured and several Fortigates using radius against the freeradius. There is no problem getting the second OTP window when using VPN.
What’s important is to have the correct policies on PrivacyIdea
Create a policy to use LDAP password as token pin.
be sure to define the policy in a such matter that it will hit the user logins from the Fortigate.
Use Scope=Authentication
Under additional conditions you can specify gruop the user needs to be member of.
You dont need alle the actions i’ve used. otppin = userstore makes the system use LDAP password as pin.
On the Fortigate. Configure your radius setting.
and the usergroup
Then configure your VPN setting an policy refering to this usergroup.
Thart should be it all, it works fine both using SSL VPN web portal and the client
