Configure Certificate Maps

Certificate maps let you define rules matching a user certificate to a connection profile based on the contents of the certificate fields. Certificate maps provide certificate authentication on secure gateways.

The rules or the certificate maps are defined in Certificate Map Objects.

Procedure

Step 1

Choose Devices > VPN > Remote Access.

Step 2

Select an existing remote access VPN policy in the list and click the corresponding Edit icon.

Step 3

Choose Advanced > Certificate Maps.

Step 4

Select the following options from the General Settings for Connection Profile Mapping pane:

Selections are priority-based, matching continues down the list of options when the first selection does not match. Matching is complete when the rules are satisfied. If the rules are not satisfied, the default connection profile listed at the bottom of this page is used for the connection. Select any, or all of the following options to establish authentication and to determine which connection profile (tunnel group) must be mapped to the client.

  • Use Group URL if Group URL and Certificate Map match different Connection profiles

  • Use the configured rules to match a certificate to a Connection Profile—Enable this to use the rules defined in the Connection Profile Maps.

Note

Configuring a certificate mapping implies certificate-based authentication. The remote user will be prompted for a client certificate regardless of the configured authentication method.

Step 5

Under the Certificate to Connection Profile Mapping section, click Add Mapping to create certificate to connection profile mapping for this policy.

  1. Choose or create a Certificate Map Name object.

  2. Select the Connection Profile that want to use if the rules in the certificate map object are satisfied.

  3. Click OK to create the mapping.

Step 6

Click Save.