We've been using Duo two factor along with requiring client certs on machines with a lot of success. This allows us to use two factor and ensure that we only have company approved equipment connect to the VPN. We have the gateway set to use the Duo radius server (https://duo.com/docs/authproxy_reference) for authentication, which then verifes against AD and sends a push request to the users device to confirm authentication along with having a certificate profile setup to verify that a company issued AD cert is installed. On the portal side we just have it verifying against AD directly with no certificate profile. That seems to be the best blend so users don't get requested to authenticate with two factor for config updates, just to actually log in.
... View more