This article explains how to configure the provisioning and authentication method for new Cato Client users.
The Cato Management Application lets you choose how to provision the Cato Client for new remote users. New users install the Cato Client on their computer or device, and then register and activate the Client to start using the VPN for your network. These are the provisioning methods for new users:
-
Invitation email - Users log in to the MyVPN User Portal to register the Cato Client by themselves
-
Registration code - Users enter a one-time code to automatically register the Cato Client
The User Provisioning settings are for the entire account, and are applied to all SDP users.
The default User Provisioning behavior for the account is to use an invitation email for new users with a link to the User Portal. The user installs the Client, and then goes to the portal to create a password and activate their account. The email also contains the details for the account and the username. For more about using the User Portal, see
The User Provisioning section lets you configure whether or not to automatically send the invitation email when an SDP user is created. There are separate settings for users that you create manually in the Cato Management Application, and for users that Directory Services creates automatically.
Note
Note: For accounts that use Single Sign-On (SSO) for SDP users, disable the invitation email settings to let users authenticate with SSO and activate their Cato SDP user account. Otherwise, if you don’t change the default setting for User Provisioning invitation emails, the new users must log in to the User Portal to activate their accounts. For more about SSO providers with Cato, see Using an Identity Provider for Your Cato Account.
To configure the invitation email settings for the MyVPN portal:
-
From the navigation menu, click Access > Directory Services.
-
Click the User Provisioning tab or section.
-
Set the provisioning Method to Invitation Email.
-
Enable one or more of the following options:
-
Send invitations to new SDP users created in the Cato Management Application,
-
Send invitations to new SDP users imported with Directory Services
- Send email notifications to SDP users that are disabled in the account
-
-
Click Save. The settings for the invitation email method are configured.
The registration code method simplifies the provisioning process for new SDP users. Each user is assigned a one-time code that they use to register the Cato Client. Once the code is validated, the Cato Client is authenticated until an admin revokes the code or disables the SDP user in the Cato Management Application. Users can register multiple devices, with a separate code for each device.
You can also set the amount of time that the registration code is valid for until it expires. Afterwards, the SDP user needs a new registration code to authenticate the Cato Client for that device. For security reasons, registration codes can be valid for a maximum of 7 days.
Note
Note: Multi-Factor Authentication (MFA) is NOT supported for users that are provisioned with a registration code. Make sure that users in your account are not configured with MFA before you enable the registration code User Provisioning method.
This is a high-level overview of the process to implement the registration code to provision SDP users for your account. You can configure how long the registration code is valid before it expires. Once the code expires, it can't be used to authenticate the Cato Client. You then need to generate a new code for that user, see below Generating a Registration Code for Specific Users.
To implement provisioning all users with a registration code:
-
From the navigation menu, click Access > Directory Services.
-
Click the User Provisioning tab or section.
-
Set the provisioning Method to Registration Code.
-
In Registration Code expires after, set the time settings for how long the code is valid. Set when (value and either days or hours) the Registration Code expires. Maximum allowed time is 7 days and applies to all new users.
- Download the registration codes and use an external solution to send the registration codes to the remote users.
This section explains how to generate and manage registration codes for the SDP users in your account. Each code is a combination of letters and numbers:
-
Codes are NOT case sensitive
-
To avoid confusion, the codes don't contain the following characters: 0, o, 1, I, L
You can also choose to send a code to new SDP users in the account the were NOT provisioned with the registration code method. Sending codes doesn't generate new codes for users that already have a code assigned to them.
When you use this feature to Generate Registration Code For New Users, the Cato Management Application generates codes for all SDP users that have never received a code. These users are new to the registration code provisioning method.
To generate a registration code for all new users:
-
From the navigation menu, click Access > Client Access.
-
Expand the User Provisioning section.
-
Click Generate Registration Code For New Users.
-
In the Warning confirmation window, click OK. A code is generated for all users that never had a code assigned to them.
Use the Cato Management Application to generate a registration code for specific users. For example, users that never had a code assigned to them, or a user whose code expired.
For users with multiple devices, for example laptop and mobile device, each device requires a separate code. Use the Generate Registration Code option to create multiple codes for specific users.
To generate a registration code for specific users:
-
From the navigation menu, click Access > Users.
-
Select one or more users.
-
Click Actions and then from the drop-down menu, click Generate registration code.
-
In the confirmation window, click OK. A new code is generated for these users.
-
From the navigation menu, click Access > Directory Services.
-
Click the User Provisioning tab or section.
-
Click Download Registration Codes, and save the CSV file.
The new registration code is included in the file.
You can download a CSV file that lists the registration codes for the SDP users. The file shows the following information for each user:
-
First and last name
-
Email address
-
Registration code
Once downloaded, you can save the CSV file to a directory on your computer.
You can use the Reset Password menu option to revoke registration codes and reset VPN access to your network for SDP users.
After you generate a new code for a user and it is successfully entered, the user is authenticated again to the Cato Client.
Note
Note: When revoking a user's registration code, as detailed below, new registration codes are not automatically generated. Select Generate invitation code from the Actions drop-down menu to generate a new code.
The Event Discovery window shows all the Registration Code events for your account. The powerful search tools let you drill-down and identify the few events that contain the relevant data that you need.
You can learn more about using the Events screen in Analyzing Events in Your Network.
These are actions for the Registration Code event sub type:
|
Name |
Description |
|---|---|
|
Generated |
Registration code generated for a specific user |
|
Used |
Registration code is used to authenticate a user |
|
Revoked |
Registration code is revoked and no longer valid for the user |
Comments
0 comments
Please sign in to leave a comment.