Creating two factor authentication is very easy to do with Client VPN Service. Here are the steps to take when needing to configure it:

WARNING: if you enable ad authentication all existing users will need to re-download their vpn certificates as their existing certificates will no longer function.

1. Go to Network > VPN
2. From the Client VPN Main screen go to the VPN Tasks drop down and click Edit VPN.

1. Max Connections: Just set it to the maximum as you are not billed by connections.
2. Primary DNS and Secondary DNS: Set this to the DNS Servers (usually your Active Directory servers). NOTE: these need to be in the isolated network provided to you.
3. AD Authentication: Make sure that is checked.
4. Domain Controller IP: Specify the domain controller to do authentication on.
5. Binding User DN: Specify the user to do the ldap query for authentication. Example: "CN=openvpn_user,CN=Users,DC=domainname,DC=local" which will allow the openvpn_user to do the authentication.
6. Binding Password: This is the password of the user used in Binding User DN.
7. User Location DN: Location of the domain to do the query on. Example: "DC=domainname,DC=local"
8. User Group DN: This is the group location of the users to do the query on. Example: "CN=ManagedVPN,CN=Users,DC=domainname,DC=dom" this is the group where any user in this group has access to logon to the VPN service.