With two-factor authentication, the portal or gateway authenticates users through two mechanisms, such as a one-time password and Active Directory (AD) login credentials. You can enable two-factor authentication by configuring and adding both a certificate profile and authentication profile to the portal and/or gateway configuration.

You can configure the portal and gateways to use either the same authentication method or different authentication methods. Regardless, users must successfully authenticate through the two mechanisms that the component demands before they can gain access to the network resources.

If the certificate profile specifies a Username Field, from which GlobalProtect can obtain a username, the external authentication service automatically uses that username to authenticate the user to the external authentication service specified in the authentication profile. For example, if the Username Field in the certificate profile is set to Subject, the common-name field value of the certificate is used as the username when the authentication server tries to authenticate the user. If you do not want to force users to authenticate with a username from the certificate, make sure the Username Field in the certificate profile is set to None. See Remote Access VPN with Two-Factor Authentication for an example configuration.