Cato Networks Knowledge Base

Configuring the Authentication Policy for Cato Clients

  • Updated

This article discusses how to configure the authentication behavior and Multi-Factor Authentication (MFA) requirements for SDP users in your account.

Overview of SDP Client Authentication Policy

The Authentication policy defines how SDP users authenticate to your account: MFA, single sign-on (SSO), or username and password. In addition, you can choose the end-user authentication experience using the in-Client browser or the external default OS browser.

Setting the Browser Authentication for the Account

For Windows and macOS Clients, there is an option to use the in-Client browser for authentication or the external default OS browser. The default setting is to use the In-Client Browser which provides the best end-user experience. MFA and SSO authentication is completed inside the Client and then seamlessly connects the device to the Cato Cloud.

Sometimes the network configuration of an account doesn't support the in-Client browser. In these cases, you can set your account to use the external default OS browser for the device. The end-user starts the connection in the Client, and then users authenticate to the Cato Cloud with the OS browser.

The in-Client browser is supported on Windows and macOS Client versions 5.0 and higher.

The external default OS browser is supported on Windows Client version 5.2 and higher, and macOS Client version 5.1.

To set the Client browser authentication for the account:

  1. From the navigation menu, click Access > Client Access.

  2. Expand the Authentication section.

  3. In Browser Authentication, select one of these options for Windows or macOS:

    • In-Client Browser - SDP users authenticate to your account within the Client

    • External Browser - SDP users authenticate to your account with the OS browser

  4. Click Save.

Configuring the MFA Authentication Policy for All Users

Use the Authentication screen to define the authentication policy for remote users in your account that connect with the Cato Client. These are the authentication options:

  • MFA - SDP users must authenticate using a code they receive from an SMS or an authenticator app (according to RFC-6238 for MFA)

  • SSO - SDP users authenticate with SSO using the Identity Provider (IdP) configured for your account

  • User Name and Password - SDP users authenticate with the username and password for the Client (no MFA requirements)

You can also choose to override the MFA policy for individual SDP users, see below Overriding Authentication Settings for Specific Users.

If you are using Directory Services and you need to modify a SDP user's mobile phone number for advanced authentication, you must modify the phone number only in the IdP.

Note

Note: Multi-Factor Authentication (MFA) and Single-Sign On (SSO) are NOT supported for users that are provisioned with a registration code.

Working with Token Validity Settings

The Token Validity > Duration option depends on whether the device running the Cato client is "trusted" as follows:

  • If the user enabled trust for the device running the Cato Client (by selecting the Don't ask me again on this device/computer option on the Client when connecting to the Cato Cloud), then MFA is not required if the duration is still valid and the geolocation has not changed to a different country

  • If the user did not enable trust for the device running the Cato client (by clearing the Don't ask me again on this device/computer option on the client when connecting to the Cato Cloud), the duration setting has no effect and MFA is always required on this device

ClientAccess_Authentication.png

To configure the MFA policy for remote users:

  1. From the navigation menu, click Access > Client Access.

  2. Expand the Authentication section.

  3. In the Method drop-down list, select MFA.

  4. Configure the General settings for the MFA policy:

    1. In Mode, select the MFA behavior:

      • Enabled - MFA is required to connect.

      • User selection - SDP users can configure specific MFA settings in the Cato Networks User Portal.

    2. Select the Authentication Method for the policy:

      • Any - Each user selects the authentication method for themselves

      • Authenticator - Users must use an authentication app (such as Google Authenticator)

      • SMS - Users are sent an SMS text message with an authentication code

  5. In the Token validity section, select the behavior for the MFA token in the Client:

    • Always Prompt - MFA is required whenever the user connects.

      Users that are logged in must reauthenticate when the duration you define in Days or Hours (since they last logged in) is reached.

    • Duration - Users do not require MFA for the duration you define in Days or Hours.

  6. Click Save.

Overriding Authentication Settings for Specific Users

You can customize different authentication settings for specific users and override the global authentication policy. Edit a user and then use the Authentication screen to customize the authentication method for that user.

To override the global authentication settings for a specific user:

  1. From the navigation menu, click Access > Users.

  2. Select the user, and from the navigation menu select User Settings > Authentication.

  3. Select Override account Authentication settings.

    Override_Authentication_Settings.png
  4. Select the authentication Method for the user.

  5. Configure the authentication settings for this user.

  6. Click Save.

Resetting MFA for a User

You can reset the MFA setting for users when necessary, such as installing the Client on a new device.

To reset the MFA settings for a user:

  1. From the navigation menu, click Access > Users.

  2. In the User list, select the check box next to the user's name.

  3. From the Actions drop-down menu, select Reset MFA.

  4. In the confirmation window, click OK.

  5. The user receives an e-mail with a link to the Cato User Portal. After signing in to the portal, the user will need to activate MFA settings for the device.

Related Resources

Was this article helpful?

1 out of 1 found this helpful

Comments

0 comments

Please sign in to leave a comment.