I am trying to authenticate users on a FortiGate firewall against a Radius server with a custom PAM library. This PAM library is based on individuals enterprise username and a time-bound token which is validated by a key file installed on the server. I have verified the library works for SSH authentication, however, this is generally done in two stages. First by entering a fixed username, and then the system re-prompts the user for his personal enterprise username for which the token was issued. For example (SSH client): login as: standard username Corporate ID: enterprise username Token: [time-round token] The problem I have, is that the FortiGate GUI does not allow this secondary username/token entry. I was wondering if there is a way of configuring this "standard username" in the "users" config file under the "Auth-type = PAM", and then passing the corporate credentials and token through to PAM, as this is all I really can enter in the FortiGate login GUI. Any ideas would be appreciated. Regards to all, -JR