Configure Threat Defense Multiple Certificate Authentication

Multiple Certificate-based Authentication

Multiple certificate-based authentication allows the threat defense to validate the machine or device certificate. Multiple certificates can be enabled for certificate-based authentication in the remote access VPN connection profile. It can be combined with AAA authentication. The multiple certificates option in the remote access VPN connection profile allows certificate authentication of both the machine and user via certificates. This ensures that the device is a corporate-issued device, in addition to authenticating the user’s identity certificate to allow RA VPN access. The administrator can choose if the username for the session should be taken from the machine certificate or user certificate.

When multiple certificate-based authentication is configured, two certificates are obtained from the VPN client:

  • First Certificate —Machine certificate to authenticate the endpoint.

  • Second Certificate—User certificate to authenticate the VPN user.

For detailed information about threat defense certificates, see Managing Threat Defense Certificates.

Limitations

  • Multiple certificate authentication currently limits the number of certificates to two.

  • Secure Client supports only RSA-based certificates.

  • Only SHA256, SHA384, and SHA512 based certificates are supported during the Secure Client aggregate authentication.

  • Certificate authentication cannot be combined with SAML authentication.

Pre-fill Username from Certificate

The Pre-fill username option allows a field from the certificates to be parsed and used for subsequent AAA authentication (primary and secondary). When two certificates are used for authentication, the Administrator can choose the certificate from which the username should be derived for the prefill functionality. By default, username for prefill is retrieved from the User certificate (second certificate received from Secure Client). The prefilled username is used as the VPN session username when the Certificate Only authentication method is enabled. When AAA and certificate authentication is enabled, VPN session username will be based on the pre-fill option.

Configure Multiple Certificate Authentication for Remote Access VPN

  1. On your Secure Firewall Management Center web interface, choose Devices > VPN > Remote Access.

  2. Edit an existing remote access policy, or create a new one and then edit.

    See Create a New Remote Access VPN Policy.

  3. Select the connection profile to configure multiple certificate authentication, and click Edit.

    See Configure Connection Profile Settings.
  4. Choose AAA, and then select an Authentication Method:

    • Client Certificate Only—User is authenticated using client certificate. Client certificate must be configured on VPN client endpoints. By default, the username is derived from client certificate fields CN & OU respectively. In case, the username is specified in other fields in the client certificate, use 'Primary' and 'Secondary' field to map appropriate fields.

    • Client Certificate & AAA—User is authenticated using both the types of authentication, AAA and client certificate.

  5. Select Enable multiple certificate authentication.

  6. Select Map username from client certificate and select a certificate from the Certificate to choose drop-down to choose the username for the VPN session from the machine certificate or user certificate.

    • First Certificate —Map the username from the Machine Certificate.

    • Second Certificate—Map the username from the User certificate to authenticate the VPN user.

  7. Configure the required connection profile settings and remote access VPN settings.

  8. Save the connection profile and remote access VPN policy. Deploy the remote access VPN on threat defense.

For information about remote access VPN AAA settings, see Configure AAA Settings for Remote Access VPN.

Certificate Configuration in DAP

You can also configure certificate criteria attributes in a DAP record. The user and machine certificate received from the VPN client during multiple-certificate authentication is loaded into dynamic access policy (DAP) to allow policies to be configured based on the field of the certificate. You can make policy decisions based on the fields of a certificate used to authenticate that connection attempt.

  1. Choose Devices > Dynamic Access Policy.

  2. Edit an existing DAP policy or create a new one and then edit the policy.

  3. Choose an existing DAP record, or create a new one and then edit the record.

  4. Select Endpoint Criteria > Certificate.

  5. Select the Match Criteria All or Any.

  6. Click Add to add certificate attributes.

  7. Select the certificate, Cert1 or Cert2.

  8. Select the Subject and specify the certificate subject value.

  9. Select the Issuer and specify the certificate issuer name.

  10. Select the Subject Alternate Name and specify the alternate name for the subject.

  11. Specify the Serial Number.

  12. Select the Certificate Store: None, Machine, or User.

    This option adds a condition to check for the store from which the certificate is picked on the endpoint.

  13. Click Save to complete the certificate criteria settings.

    Configure the required DAP record settings and then associate the DAP with the remote access VPN.

For more information about DAP, see Dynamic Access Policies.