Chapter 11 IPsec VPN for FortiOS 5.0 : Auto Key phase 1 parameters : Authenticating remote peers and clients : Enabling VPN access for specific certificate holders
  
Enabling VPN access for specific certificate holders
When a VPN peer or dialup client is configured to authenticate using digital certificates, it sends the DN of its certificate to the FortiGate unit. This DN can be used to allow VPN access for the certificate holder. That is, a FortiGate unit can be configured to deny connections to all remote peers and dialup clients except the one having the specified DN.