According to this Document: https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-web-interface-help/globalprotect/network-globalprotect-portals/globalprotect-portals-authentication-configuration-tab
And here is what we have set:
But the people who set it up, at least they claim, say it works.
Unless I'm not understanding something, the document claims that if you set the option to "No" (which we have), then you MUST select a Certificate Profile (which we have not). So I'm just trying to reconcile that.
yes, this is the default setting: if you set/leave the 'allow creds OR cert" to No, but you don't set a cert profile, there is no root CA to verify a client cert against so client cert is skipped. if you do set a certificate profile (later on) a client cert needs to be present AND will be matched against the CA included in the certificate profile
if you add a certificate profile and then change the setting to Yes, you opt to allow one of both (so likely the default No is there to prevent unexpected behavior when adding a certificate profile)