If the GlobalProtect Portal is configured for DualShield two-factor authentication, users may have to authenticate twice when connecting the GlobalProtect Gateway Agent. For the best user experience, it is recommeded that GlobalProtect Portal is set to use LDAP or Kerberos authentication, or if you do add DualShield two-factor authentication to your GlobalProtect Portal that you also enable cookies for authentication override on your GlobalProtect portal to avoid multiple prompts for two-factor authentication when connecting.
If your organization would like to protect the GlobalProtect Portal with DualShield two-factor authentication, then compete the steps below.
In the Network tab, navigate to GlobalProtect then Portal.
Click on your configured GlobalProtect portal to bring up the configuration window.
Click the Authentication tab
In the Authentication tab, remove the current client authentication if any
Click the Add button to add a new client authentication
Client Authenticaiton window
In Name field, enter DualShield Radius, or any descriptive name you like
In Authentication field, Select the authentication profile created in a previous step, e.g. DualShield Radius
Click OK to save the settings
(Optional) If you aren't using authentication override cookies on your GlobalProtect portal already, you may want to enable it to minimize DualShield Radius authentication requests at client reconnection during one gateway session. Refer to the GlobalProtect cookie authentication documentation to fully understand this feature before enabling it.
Click the Agent tab on the left and then click the Client Settings tab.
Click on the name of your config to open it.
(Optional) On the "Authentication Override" tab check the option Generate cookie for authentication override and Accept cookie for authentication override
Set a cookie lifetime and select a certificate to use with the cookie. Note that users will not need to repeat 2FA after their initial success when reconnecting during the cookie lifetime duration.
Click OK (twice if you also enabled authentication override cookies) to save the GlobalProtect portal settings.