Configure VPN User Authentication via Client Certificate and AAA Server

When you configure remote access VPN authentication to use both client certificate and authentication server, VPN client authentication is done using both the client certificate validation and AAA server.

Before you begin

  • Configure the certificate enrollment object that you use to obtain the identity certificate for each threat defense device that acts as a VPN gateway.

  • Configure the RADIUS server group object and any AD or LDAP realms to use in the remote access VPN policy configuration.

  • Ensure that the AAA Server is reachable from the Secure Firewall Threat Defense device for the remote access VPN configuration to work.

Procedure

Step 1

On your Secure Firewall Management Center web interface, choose Devices > Remote Access.

Step 2

Click Edit on the remote access VPN policy for which you want to update the authentication or click Add to create new one.

Step 3

If you choose to create new remote access VPN policy, configure the authentication while selecting connection profile settings. For an existing configuration, select the connection profile that includes the client profile, and click Edit.

Step 4

Go to AAA and from the Authentication Method drop-down, choose Client Certificate & AAA.

  • When you select the Authentication Method as:

    Client Certificate & AAA—Both types of authentication are done.

    • AAA—If you select the Authentication Server as RADIUS, by default, the Authorization Server has the same value. Select the Accounting Server from the drop-down list. Whenever you select AD and LDAP from the Authentication Server drop-down list, you must manually select the Authorization Server and Accounting Server respectively.

    • Client Certificate—Authenticates the user with client certificate. You must configure client certificate on the VPN client endpoints. By default, the username is derived from client certificate fields CN & OU respectively. If you use any other field in the client profile to specify the username, use Primary Field and Secondary Field to map appropriate fields.

      If you select Map specific field option, which includes the username from the client certificate. The Primary and Secondary fields display default values: CN (Common Name) and OU (Organisational Unit) respectively. If you select the Use entire DN as username option, the system automatically retrieves the user identity. A distinguished name (DN) is a unique identification, made up of individual fields that can be used as the identifier when matching users to a connection profile. DN rules are used for enhanced certificate authentication.

      Primary and Secondary fields pertaining to the Map specific field option contains these common values:

      • C (Country)

      • CN (Common Name)

      • DNQ (DN Qualifier

      • EA (Email Address)

      • GENQ (Generational Qualifier)

      • GN (Given Name)

      • I (Initial)

      • L (Locality)

      • N (Name)

      • O (Organisation)

      • OU (Organisational Unit)

      • SER (Serial Number)

      • SN (Surname)

      • SP (State Province)

      • T (Title)

      • UID (User ID)

      • UPN (User Principal Name)

    • Whichever authentication method you choose, select or deselect Allow connection only if user exists in authorization database.

For more information, see Configure AAA Settings for Remote Access VPN.

Step 5

Save your changes.