You can use Cisco ISE as Radius to authenticate users in Palo firewalls. 

Configuring Palo Alto Administrator Authentication with Cisco ISE (packetswitch.co.uk)

Basically, then you can leverage ISE authentication rules to have Duo as an external radius server for mfa.

Duo Two-Factor RADIUS Authentication for Cisco ISE | Duo Security

Regards,

Pulkit

If you find this useful, please mark it helpful and accept the solution.

Hello Pulkit

I'm specially talking about GlobalProtect (client-less vpn). I'll explain, we allow users access to inside resources from outside our building via GlobalProtect. So let's say I'm home, I browse to [ https://example.globalprotect.com,/ | https://example.globalprotect.com, ] I hit the GlobalProtect login screen. We leverage logins with our LDAP server, so I enter my LDAP credentials and I'm in. That's the current footprint. What I want to do now is add MFA, same process but I want the user to now also be prompted for a verification code, that would be sent to his/her e-mail. I'm looking for the most simplistic way to accomplish this and had loosely read via other blogs that that Cisco ISE (which we also have) may be able to provide this via it's RADIUS feature. Is this true?

That is a specific guest portal authentication mechanism which is not at all applicable in this case.

What you are after will require a 2FA mechanism and ISE is not the right product for that purpose. It can best work in conjunction to mfa solution like Duo.

Like I mentioned, similar to this use case.

https://community.cisco.com/t5/network-access-control/cisco-anyconnect-two-factor-authentication-with-cisco-ise-ad-one/td-p/3325240