Authenticate VPN Users via Client Certificates
You can configure remote access VPN authentication using client certificate when you create a new remote access VPN policy using the wizard or by editing the policy later.
Before you begin
Configure the certificate enrollment object that is used to obtain the identity certificate for each threat defense device that acts as a VPN gateway.
Procedure
Step 1 | On your Secure Firewall Management Center web interface, choose Devices > VPN > Remote Access. |
Step 2 | Select a remote access policy and click Edit; or click Add to create a new remote access VPN policy. |
Step 3 | For a new remote access VPN policy, configure the authentication while selecting connection profile settings. For an existing configuration, select the connection profile that includes the client profile, and click Edit. |
Step 4 | Click . With this authentication method, the user is authenticated using a client certificate. You must configure the client certificate on VPN client endpoints. By default, the user name is derived from client certificate fields CN and OU respectively. If the user name is specified in other fields in the client certificate, use 'Primary' and 'Secondary' field to map appropriate fields. If you select Map specific field option, which includes the username from the client certificate. The Primary and Secondary fields display the following default values, respectively: CN (Common Name) and OU (Organisational Unit). If you select the Use entire DN as username option, the system automatically retrieves the user identity. A distinguished name (DN) is a unique identification, made up of individual fields, that can be used as the identifier when matching users to a connection profile. DN rules are used for enhanced certificate authentication.
For more information, see Configure AAA Settings for Remote Access VPN. |
Step 5 | Save your changes. |