Controlling Certified Corporate Devices (Device Authentication)

This article explains how to use Device Authentication to control which physical devices are allowed to use the Cato Client to connect to your account.

Note

Note: Device Authentication is not available for accounts created after April 14, 2024 and will be declared End of Life from September 30, 2024 . To control certified corporate devices, use the enhanced functionality of the Client Connectivity Policy.

Overview of Device Authentication

Users can install the Cato Client on personal and corporate devices and use it to connect to the account. Using Device Authentication, you can restrict remote access on devices based on specific certificates. A computer or device can only connect to the Cato Cloud if this certificate is installed. When this certificate is not installed, the computer or device can't authenticate and access is blocked.

You can also choose to block all devices based on the operating system.

Note

Notes:

  • Only PEM certificates are supported.

  • You can upload a maximum of five certificates for your account.

  • The maximum supported file size for a certificate is 4096 bytes.

Device Authentication Workflow

This section is a sample high-level workflow for a device that attempts to authenticate to a PoP in the Cato Cloud. This sample account is configured to only require device certificates for the Windows operating system.

  1. The signing certificate for the corporate devices is uploaded to the Cato Management Application.

  2. A Windows computer uses the Cato Client to attempt to connect to the Cato Cloud.

  3. The Client verifies that the device certificate on the computer is valid.

  4. The PoP asks the Client to authenticate based on the certificate.

  5. The PoP compares the device certificate to the signing certificate for the account.

  6. The certificates match and the computer is allowed to connect to the Cato Cloud.

    If the certificates don't match, then the connection is blocked and the computer can't connect to the Cato Cloud.

Implementing Device Authentication

When you enable Device Authentication for an operating system (for blocking or to require a certificate), we strongly recommend that you make sure that all devices are upgraded to the minimum supported Client version. For earlier (unsupported) Client versions:

  • Windows OS (block or require certificate) - no message is shown to the user, and the Client continuously tries to connect to the VPN

  • macOS, iOS, Android, and Linux (block) - users is shown a message that says this device is blocked from the network (for example, connecting from this OS is forbidden)

  • macOS and iOS (require certificate) - users are shown a message that says the network access is blocked for the device (for example, Access denied)

For more information on which Client version support Device Authentication, see Access Features per Client OS and Version.

For example, a macOS computer has the correct certificate installed and is using macOS Client v4.1 (an unsupported version). Device Authentication is enabled for macOS to require a certificate, the computer can't connect to the VPN and the user sees a message hat says the network access is blocked for the device. The computer can connect to the VPN when it is using the macOS Client v4.4 or higher.

Device Authentication and the Always On Feature

You can't enable Device Authentication to block an OS and the Always On feature for the same Client OS. Before you implement Device Authentication to block an OS, verify that the Always On settings are disabled for the account in the Always On section (Access > Client Access):

Using Certificates to Manage Device Access

Upload signing certificates to the Device Authentication section in the Cato Management Application. You can then define the operating systems that authenticate to the Cato Cloud based on the certificate.

Uploading the Certificate to the Cato Management Application

The Device Authentication section shows the signing certificates (Root CA and the intermediate CA) that you uploaded to the Cato Management Application. All uploaded certificates are first verified that they are valid and then they are added to the account.

uploadcertificate.png

For accounts with more than one signing certificate, the device authenticates with the first certificate that matches the signing certificate.

To upload a signing certificate to your account:

  1. From the navigation menu, click Access > Client Access.

  2. Expand the Device Authentication section.

  3. In the Device certificates section, click New.

    The Add Certificate panel opens.

  4. Enter a Name for the certificate.

  5. Click Upload Certificate.

  6. Browse to the directory with the signing certificate and click Open. The certificate is added to your account.

  7. Select the certificate and click Open. The certificate is added.

  8. Click Save. The signed certificate is saved to your account.

    You can upload a maximum of five certificates for your account.

Defining Operating Systems that Require a Certificate

Select one or more operating systems that require a device certificate to connect to your account with the Cato Client. This is the default global setting for the account and it applies to all devices and computers for that operating system.

You can choose to override this setting for specific users, see below Configuring Device Authentication Settings for Users.

To define the operating systems that require a certificate to connect to the Cato Cloud:

  1. From the navigation menu, click Access > Client Access.

  2. Expand the Device Authentication section.

  3. In Operating systems that require a certificate, start typing or select the operating systems that require a device certificate.

  4. Click Save.

Managing Certificates

You can disable, re-enable, or delete signing certificates that are no longer used for your account.

To disable, re-enable, or delete certificates from Device Authentication:

  1. In the Certificates section, select one or more certificates.

  2. Expand the Device Authentication section.

  3. Click Delete.png

  4. Click on the action you want to take
  5. Click Save. The signing certificate is deleted from your account.

Blocking Remote Access for an Operating System

The Device Authentication section in the Global Settings lets you block remote access to your account for specific VPN Client operating system. When the device or computer tries to use the Client to connect to your account, the PoP in the Cato Cloud blocks the connection.

To block remote access for an operating system:

  1. From the navigation menu, click Access > Client Access.

  2. Expand Device Authentication section.

  3. In the Blocked operating systems section, select the operating systems that are blocked from accessing your account with the Cato Client.

  4. Click Save.

Configuring Device Authentication Settings for Users

You can override the default settings for blocked operating systems and required device certificates for specific users. When you configure the Device Authentication settings for a user, the default settings are ignored.

You must upload the signing certificate to the Cato Management Application before you can require a device certificate for a user, see above Uploading the Certificate to the Cato Management Application.

To configure the Device Authentication settings for a user:

  1. From the navigation menu, click Access > Users and select a user.

  2. From the navigation menu, click User Settings > Device Authentication.

  3. Select Override account Device Authentication settings.

  4. In Blocked operating systems, configure the operating systems that are blocked for this user. If no blocked operating systems are selected, this user can use any Client operating system to connect to the account.

  5. In Operating systems that require a certificate, configure the operating systems that require a certificate. If no operating systems are selected, then this user doesn't require a signing certificate to connect to your account.

  6. Click Save. The Device Authentication settings are configured for the user.

Handling Expired Certificates

Cato lets you upload the public keys of the corporate's trusted certificates to your account in the Cato Management Application. If a public key has expired, the PoP allows the connection only if the authority signed the device certificate before it has expired.

  • The red icon on the right side of the certificate indicates on an expired certificate.

  • The yellow warning icon indicates on a certificate that is about to expire within the next 30 days.

Cato generates alerts for an expiring public key:

  • 30 days before the public key is going to expire

  • On the expiration date for the certificate

For the device certificates, Cato doesn’t allow a Client to connect with an expired certificate. If a user tries to connect with an expired device certificate, the Client notifies the PoP that the certificate has expired, and the connection is blocked.

The PoP verifies that the certificate is valid and then permits the connection for Clients.

The Event Discovery window shows these events with the certificate expiration date.

Analyzing Certificate Events

The Events screen (Monitoring > Events) helps you monitor the events for expired certificates. When the Cato Client successfully connects with a device certificate, Cato generates an event with the following information:

  • Client Cert Name – the device certificate name used for the connection

  • Client Cert Expires – the expiration date of the device certificate

For failed connection events, the failure reason is described in the event message. Connection failures can be caused by a bad issuer or an expired certificate.

Filtering Events with Predefined Filters

The Events screen provides two new event filter presets to help you monitor Device Authentication:

  1. Client certificate about to expire

  2. Client authentication issue

1. The Client certificate about to expire filter

You can select this preset to show all the successful connection events that are related to a device certificate that is about to expire within the next 30 days.

Note: Cato doesn’t generate a separate event for certificates that are about to expire.

The following screenshot shows a sample of the Event Discovery window when the Client certificate about to expire is applied:

04_expired.png

2. The SDP authentication issue filter

This preset is not specifically for connecting with device certificate-based authentication, it shows all the failed connection events.

The following screenshot shows a sample of the Event screen when the SDP authentication issue filter is applied:

05_ED.png

Was this article helpful?

3 out of 3 found this helpful

1 comment

  • Comment author
    Permanently deleted user

    How can we validate that a client has successfully connected via device authentication with a specific certificate?

Add your comment