Following are the additional step that has to be done for configuring DUAL factor authentication. Client will provide password and Certificate to authenticate himself with portal and/or gateway. In this example firewall is used to create root CA certificate, Client Certificate.
1) Create a Root CA certificate on Firewall
2. Create one certificate on PA one for GP
3. Use your enterprise PKI or a public CA to issue a unique client certificate to each GlobalProtect user. The CN of the certificate must match the FQDN or IP that you are using for GP. The client must present a unique client certificate that identifies the end user in order to connect to GlobalProtect. All client can use share same certificate or can have their own individual certificate.
3. Create a Certification profile for Client authentication and call the root CA.
If the certificate profile does not specify a username field (that is, the Username Field it is set to None), the client certificate does not need to have a username. In this case, the client must provide the username when authenticating against the authentication profile.
If the certificate profile specifies a username field, the certificate that the client presents must contain a username in the corresponding field. For example, if the certificate profile specifies that the username field is subject, the certificate presented by the client must contain a value in the common-name field or authentication will fail. In addition, when the username field is required, the value from the username field of the certificate will automatically be populated as the username when the user attempts to enter credentials
4. Call that certificate profile under portal and gateway configuration
5. Install the certificate on the client machine. If the certificate is not installed following error message will be seen: