https://live.paloaltonetworks.com/t5/globalprotect-discussions/2fa-and-certificate/m-p/568119#M4692 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/80392">@chens</a> ,</P> <P>&nbsp;</P> <P>Yes, it is possible.&nbsp; The only thing you need to do to configure GP client certificate authentication AND username/password/MFA is as follows:</P> <P>&nbsp;</P> <OL> <LI>Install the certificate on the client (step 4 in the link below).&nbsp; It could be unique for each client or the same.</LI> <LI>Create a certificate profile (step 5) and select it on the bottom of the Authentication tab of the portal and/or gateway.</LI> <LI>Make sure the Client Authentication configuration has "No (User Credentials AND Client Certificate Required)" selected for "Allow Authentication with User Credentials OR Client Certificate."</LI> </OL> <P><A href="https://docs.paloaltonetworks.com/globalprotect/9-1/globalprotect-admin/globalprotect-quick-configs/remote-access-vpn-certificate-profile#id0da833e2-8485-4e10-a6a6-9e488c39b6fa" target="_blank">https://docs.paloaltonetworks.com/globalprotect/9-1/globalprotect-admin/globalprotect-quick-configs/remote-access-vpn-certificate-profile#id0da833e2-8485-4e10-a6a6-9e488c39b6fa</A></P> <P>&nbsp;</P> <P>That's it!</P> <P>&nbsp;</P> <P>Thanks,</P> <P>&nbsp;</P> <P>Tom</P> Sat, 02 Dec 2023 01:59:03 GMT TomYoung 2023-12-02T01:59:03Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/2fa-and-certificate/m-p/568076#M4689 <P>Hello friends.</P> <P>For my workers, I am using 2FA (AD+DUO) as the authentication process.</P> <P>I would like to add additional to the 2FA authentication, by enforcing checking the existence of a client certificate.</P> <P>My goal is to eliminate using GP from laptops that don't have my PFX installed. (i will install them manually).</P> <P>I want the cert to be an additional phase.</P> <P>I don't want to use HIP because i dont have GP license and using the default GP profiles.</P> <P>&nbsp;</P> <P>Is it possible?</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Fri, 01 Dec 2023 20:05:21 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/2fa-and-certificate/m-p/568076#M4689 chens 2023-12-01T20:05:21Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/2fa-and-certificate/m-p/568119#M4692 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/80392">@chens</a> ,</P> <P>&nbsp;</P> <P>Yes, it is possible.&nbsp; The only thing you need to do to configure GP client certificate authentication AND username/password/MFA is as follows:</P> <P>&nbsp;</P> <OL> <LI>Install the certificate on the client (step 4 in the link below).&nbsp; It could be unique for each client or the same.</LI> <LI>Create a certificate profile (step 5) and select it on the bottom of the Authentication tab of the portal and/or gateway.</LI> <LI>Make sure the Client Authentication configuration has "No (User Credentials AND Client Certificate Required)" selected for "Allow Authentication with User Credentials OR Client Certificate."</LI> </OL> <P><A href="https://docs.paloaltonetworks.com/globalprotect/9-1/globalprotect-admin/globalprotect-quick-configs/remote-access-vpn-certificate-profile#id0da833e2-8485-4e10-a6a6-9e488c39b6fa" target="_blank">https://docs.paloaltonetworks.com/globalprotect/9-1/globalprotect-admin/globalprotect-quick-configs/remote-access-vpn-certificate-profile#id0da833e2-8485-4e10-a6a6-9e488c39b6fa</A></P> <P>&nbsp;</P> <P>That's it!</P> <P>&nbsp;</P> <P>Thanks,</P> <P>&nbsp;</P> <P>Tom</P> Sat, 02 Dec 2023 01:59:03 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/2fa-and-certificate/m-p/568119#M4692 TomYoung 2023-12-02T01:59:03Z