Two-factor authentication enables strong authentication by using a pre-deployed client certificate or a dynamic password, such as one-time password (OTP), and supports the following two-factor authentication methods:
Client certificate profile and OTP provided by an authentication service such as RADIUS. Client certificate profile and authentication profile such as LDAP. OTP and secure-encrypted cookies.
The following enhancements make two-factor authentication even easier to use and deploy.
Dynamic Certificate Distribution Using SCEP
The GlobalProtect portal can now request unique client or server certificates from your enterprise PKI and directly deploy them to GlobalProtect components without exposing your PKI infrastructure to the Internet. GlobalProtect automates the process of requesting and installing client certificates by using the Simple Certificate Enrollment Protocol (SCEP).
Configure Certificate Distribution Using SCEP
Set up a SCEP profile.
Assign the SCEP profile to a GlobalProtect portal agent configuration The GlobalProtect portal can then transparently deliver the certificates to endpoints that receive the configuration, thus simplifying the deployment of certificates. You can also use SCEP to automate the generation of server certificates for GlobalProtect gateways.
Secure Encrypted Cookies for Simplified Authentication
To improve the user experience with two-factor authentication , you can now configure GlobalProtect portals and gateways to generate and accept secure, encrypted cookies to authenticate the user.
This feature supersedes the Authentication Modifier option, which was available in PAN-OS 7.0. After you upgrade the firewall or Panorama to PAN-OS 7.1, any Authentication Modifier settings are discarded. Because the new Authentication Override options are disabled by default, to configure GlobalProtect portals and gateways to accept secure encrypted cookies, you must manually configure the new Authentication Override options in PAN-OS 7.1.
To enable this feature, you configure an authentication override to instruct the portal or gateway to override the default authentication profile requirements while the cookie is active. The user must then log in successfully to receive the new secure encrypted cookie. For each subsequent log in to portals and gateways during the lifetime of that cookie, the GlobalProtect agent presents the cookie instead of prompting for credentials, which reduces the number of times that users are required to enter their credentials. If the portal or gateway are also configured for client authentication as a second authentication factor, then the GlobalProtect client must also provide a valid certificate to be granted access.
If you need to immediately block access to a device that has a cookie which has not yet expired (for example, if the device is lost or stolen), you can Block Access from Lost or Stolen and Unknown Devices by adding the device to a block list.
Configure the Portal and Gateway to Generate and Accept Cookies
Before you begin: Configure the certificate with the private key to encrypt the cookie. The cookie must be encrypted before sending it to the agent.
Select Network > GlobalProtect > Gateways (or Portals) and select the configuration.
Select Agent > Client Settings (on the gateway) or Agent (on the portal) and then select the configuration.
Configure the following Authentication Override settings: Generate cookie for authentication override —Enable the portal or gateway to generate encrypted, endpoint-specific cookies. The portal or gateway sends this cookie to the agent after the user first authenticates with the portal. Cookie Lifetime —Specify the hours, days, or weeks that the cookie is valid. Typical lifetime is 24 hours. The range for hours is 1–72; for weeks, 1–52; and for days, 1–365. After the cookie expires, the user must enter login credentials and the portal or gateway subsequently encrypts a new cookie to send to the user endpoint. Accept cookie for authentication override —Enable this option to instruct the portal or gateway to authenticate the agent through a valid, encrypted cookie. When the endpoint presents a valid cookie, the portal or gateway verifies that the cookie was encrypted by the portal or gateway, decrypts the cookie, and then authenticates the user. Certificate to Encrypt/Decrypt Cookie —Select the certificate to use for encrypting and decrypting the cookie. The portal and gateways must use the same certificate to encrypt and decrypt cookies.
Click OK twice to save the configuration.

Related Documentation