Client certificate authentication

Technical Library | Support

Go to the table of contents

Go to the previous page

Go to the next page

View or print as PDF

Content Gateway Security > Content Gateway user authentication > Rule-Based Authentication > Client certificate authentication

Client certificate authentication

Certificate authentication is available for use with mobile and other personal devices.

When client certificate authentication is enabled, unauthenticated users are redirected to an HTTPS page where they are prompted to select the certificate to send to Content Gateway. The user is considered authenticated if the certificate is signed by a trusted Certificate Authority (CA). The user name is extracted from the appropriate certificate field.

Client certificate authentication can also be configured to fall back to the domains list and Captive Portal for authentication. Users who cannot be authenticated using a certificate will then be authenticated using a different method.

Used with rule-based authentication, this feature is configured for each proxy and:

Supports basic, LDAP, NTLM, and IWA authentication.

If the fallback option is enabled, however, and Captive Portal is enabled for fallback, the Captive Portal limitations apply. See Authentication using Captive Portal.

Supports credential and cookie caching.

Requires a Client Certification Authentication Profile that explains where to extract user names from the certificates and includes a list of the CA Certificates valid for use by clients.

Requires enabling SSL decryption.

Access to HTTPS sites are not authenticated if HTTPS is not enabled on the Configure > My Proxy > Basic page.

Client certificate authentication profiles

When client certificate authentication is enabled, a client certificate authentication profile must be selected. Configure client certificate authentication profiles on the new Client Cert Auth Profile tab of the Configure > Security > Access Control page.

NOTE: You can have only one profile.

On the Client Certificate Authentication Profile page:

1.

Enter a Profile Name. This name will appear in the drop-down list on the Authentication Rules page.

2.

Select an entry from the User Name Mapping drop-down.

Valid selections are Common Name (CN), Distinguished Name, or Email. This entry tells the authentication process how to extract the user name from the certificate.

3.

In the Certificate Authorities section, add, view, or delete certificates.

The certificates used for authentication are manipulated the same way that SSL certificates are manipulated on the Configure > SSL > Certificates pages. Refer to the Adding new certificate authorities for assistance.

4.

Click Apply to save your profile.

Go to the table of contents

Go to the previous page

Go to the next page

View or print as PDF

Content Gateway Security > Content Gateway user authentication > Rule-Based Authentication > Client certificate authentication

Copyright 2016 Forcepoint LLC. All rights reserved.