Cato Networks Knowledge Base

Configuring User Provisioning for Cato Clients

  • Updated

This article explains how to configure the provisioning and authentication method for new Cato Client users.

Overview of User Provisioning

The Cato Management Application lets you choose how to provision the Cato Client for new remote users. New users install the Cato Client on their computer or device, and then register and activate the Client to start using the VPN for your network. These are the provisioning methods for new users:

  • Invitation email - Users log in to the MyVPN User Portal to register the Cato Client by themselves

  • Registration code - Users enter a one-time code to automatically register the Cato Client

The User Provisioning settings are for the entire account, and are applied to all SDP users.

Provisioning Users with an Invitation Email

The default User Provisioning behavior for the account is to use an invitation email for new users with a link to the User Portal. The user installs the Client, and then goes to the portal to create a password and activate their account. The email also contains the details for the account and the username. For more about using the User Portal, see

The User Provisioning section lets you configure whether or not to automatically send the invitation email when an SDP user is created. There are separate settings for users that you create manually in the Cato Management Application, and for users that Directory Services creates automatically.

In addition, you can define the behavior when you disable SDP users in the Cato Management Application, whether or not they receive an email notification that their SDP user account is disabled.

UserProvisioning.png

Note

Note: For accounts that use Single Sign-On (SSO) for SDP users, disable the invitation email settings to let users authenticate with SSO and activate their Cato SDP user account. Otherwise, if you don’t change the default setting for User Provisioning invitation emails, the new users must log in to the User Portal to activate their accounts. For more about SSO providers with Cato, see Using an Identity Provider for Your Cato Account.

To configure the invitation email settings for the MyVPN portal:

  1. From the navigation menu, click Access > Directory Services.

  2. Click the User Provisioning tab or section.

  3. Set the provisioning Method to Invitation Email.

  4. Enable one or more of the following options:

    • Send invitations to new SDP users created in the Cato Management Application,

    • Send invitations to new SDP users imported with Directory Services

    • Send email notifications to SDP users that are disabled in the account
  5. Click Save. The settings for the invitation email method are configured.

Provisioning Users with a Registration Code

The registration code method simplifies the provisioning process for new SDP users. Each user is assigned a one-time code that they use to register the Cato Client. Once the code is validated, the Cato Client is authenticated until an admin revokes the code or disables the SDP user in the Cato Management Application. Users can register multiple devices, with a separate code for each device.

You can also set the amount of time that the registration code is valid for until it expires. Afterwards, the SDP user needs a new registration code to authenticate the Cato Client for that device. For security reasons, registration codes can be valid for a maximum of 7 days.

UserProv-RegCode.png

Note

Note: Multi-Factor Authentication (MFA) is NOT supported for users that are provisioned with a registration code. Make sure that users in your account are not configured with MFA before you enable the registration code User Provisioning method.

High-Level Overview of Implementing the Registration Code

This is a high-level overview of the process to implement the registration code to provision SDP users for your account. You can configure how long the registration code is valid before it expires. Once the code expires, it can't be used to authenticate the Cato Client. You then need to generate a new code for that user, see below Generating a Registration Code for Specific Users.

To implement provisioning all users with a registration code:

  1. From the navigation menu, click Access > Directory Services.

  2. Click the User Provisioning tab or section.

  3. Set the provisioning Method to Registration Code.

  4. In Registration Code expires after, set the time settings for how long the code is valid. Set when (value and either days or hours) the Registration Code expires. Maximum allowed time is 7 days and applies to all new users.

  5. ​Download the registration codes and use an external solution to send the registration codes to the remote users.

Managing Registration Codes

This section explains how to generate and manage registration codes for the SDP users in your account. Each code is a combination of letters and numbers:

  • Codes are NOT case sensitive

  • To avoid confusion, the codes don't contain the following characters: 0, o, 1, I, L

Generating Registration Codes for New Users

You can also choose to send a code to new SDP users in the account the were NOT provisioned with the registration code method. Sending codes doesn't generate new codes for users that already have a code assigned to them.

When you use this feature to Generate Registration Code For New Users, the Cato Management Application generates codes for all SDP users that have never received a code. These users are new to the registration code provisioning method.

To generate a registration code for all new users:

  1. From the navigation menu, click Access > Client Access.

  2. Expand the User Provisioning section.

  3. Click Generate Registration Code For New Users.

  4. In the Warning confirmation window, click OK. A code is generated for all users that never had a code assigned to them.

Generating a Registration Code for Specific Users

Use the Cato Management Application to generate a registration code for specific users. For example, users that never had a code assigned to them, or a user whose code expired.

For users with multiple devices, for example laptop and mobile device, each device requires a separate code. Use the Generate Registration Code option to create multiple codes for specific users.

To generate a registration code for specific users:

  1. From the navigation menu, click Access > Users.

  2. Select one or more users.

  3. Click Actions and then from the drop-down menu, click Generate registration code.

  4. In the confirmation window, click OK. A new code is generated for these users.

  5. From the navigation menu, click Access > Directory Services.

  6. Click the User Provisioning tab or section.

  7. Click Download Registration Codes, and save the CSV file.

    The new registration code is included in the file.

Downloading the Registration Codes

You can download a CSV file that lists the registration codes for the SDP users. The file shows the following information for each user:

  • First and last name

  • Email address

  • Registration code

Once downloaded, you can save the CSV file to a directory on your computer.

To download all the registration codes:

  1. From the navigation menu, click Access > Client Access.

  2. Click the User Provisioning tab or section.

  3. Click Download Registration Codes. The CSV file is downloaded to your computer.

Revoking Registration Codes

You can use the Reset Password menu option to revoke registration codes and reset VPN access to your network for SDP users.

After you generate a new code for a user and it is successfully entered, the user is authenticated again to the Cato Client.

Note

Note: When revoking a user's registration code, as detailed below, new registration codes are not automatically generated. Select Generate invitation code from the Actions drop-down menu to generate a new code.

To revoke the registration codes:

  1. From the navigation menu, click Access > Users.

  2. Select one or more users.

  3. Click Actions and then from the drop-down menu, select Reset Password.

  4. In the confirmation window, click OK. The current codes are revoked for the users.

Analyzing Registration Code Events

The Event Discovery window shows all the Registration Code events for your account. The powerful search tools let you drill-down and identify the few events that contain the relevant data that you need.

You can learn more about using the Events screen in Analyzing Events in Your Network.

Explaining the Registration Code Events Discovery Actions

These are actions for the Registration Code event sub type:

Name

Description

Generated

Registration code generated for a specific user

Used

Registration code is used to authenticate a user

Revoked

Registration code is revoked and no longer valid for the user

Was this article helpful?

1 out of 1 found this helpful

Comments

0 comments

Please sign in to leave a comment.