Uses TLS 1.2 as the default for EAP-TLS negotiation. You can change this default setting with a configuration profile. Older clients might still need 1.0.
Authentication based on client certificates requires the server to support TLS 1.2 with cipher suites that are compatible with forward secrecy.
Note: If the SSL/TLS Service Profile for the GlobalProtect Portal and Gateway support a maximum TLS version of 1.1, then either an iOS 11 nor a Mac OS X 10.13 system will succeed in establishing a connection. Once the configuration is committed with the maximum version set to 1.2 or to "max:, then the GlobalProtect agent will succeed.
Changes coming with iOS 11
iOS 11, tvOS 11, and Mac OS High Sierra include the following changes to TLS connections:
Removes support for TLS connections usingSHA-1 certificates. Administrators of TLS services should update their services to use SHA-2 certificates.