This article explains how to use Device Authentication to control which physical devices are allowed to use the Cato Client to connect to your account.
Note
Note: Device Authentication is not available for accounts created after April 14, 2024 and will be declared End of Life from September 30, 2024 . To control certified corporate devices, use the enhanced functionality of the Client Connectivity Policy.
Users can install the Cato Client on personal and corporate devices and use it to connect to the account. Using Device Authentication, you can restrict remote access on devices based on specific certificates. A computer or device can only connect to the Cato Cloud if this certificate is installed. When this certificate is not installed, the computer or device can't authenticate and access is blocked.
You can also choose to block all devices based on the operating system.
Note
Notes:
-
Only PEM certificates are supported.
-
You can upload a maximum of five certificates for your account.
-
The maximum supported file size for a certificate is 4096 bytes.
This section is a sample high-level workflow for a device that attempts to authenticate to a PoP in the Cato Cloud. This sample account is configured to only require device certificates for the Windows operating system.
-
The signing certificate for the corporate devices is uploaded to the Cato Management Application.
-
A Windows computer uses the Cato Client to attempt to connect to the Cato Cloud.
-
The Client verifies that the device certificate on the computer is valid.
-
The PoP asks the Client to authenticate based on the certificate.
-
The PoP compares the device certificate to the signing certificate for the account.
-
The certificates match and the computer is allowed to connect to the Cato Cloud.
If the certificates don't match, then the connection is blocked and the computer can't connect to the Cato Cloud.
When you enable Device Authentication for an operating system (for blocking or to require a certificate), we strongly recommend that you make sure that all devices are upgraded to the minimum supported Client version. For earlier (unsupported) Client versions:
-
Windows OS (block or require certificate) - no message is shown to the user, and the Client continuously tries to connect to the VPN
-
macOS, iOS, Android, and Linux (block) - users is shown a message that says this device is blocked from the network (for example, connecting from this OS is forbidden)
-
macOS and iOS (require certificate) - users are shown a message that says the network access is blocked for the device (for example, Access denied)
For more information on which Client version support Device Authentication, see Access Features per Client OS and Version.
For example, a macOS computer has the correct certificate installed and is using macOS Client v4.1 (an unsupported version). Device Authentication is enabled for macOS to require a certificate, the computer can't connect to the VPN and the user sees a message hat says the network access is blocked for the device. The computer can connect to the VPN when it is using the macOS Client v4.4 or higher.
You can't enable Device Authentication to block an OS and the Always On feature for the same Client OS. Before you implement Device Authentication to block an OS, verify that the Always On settings are disabled for the account in the Always On section (Access > Client Access):
Upload signing certificates to the Device Authentication section in the Cato Management Application. You can then define the operating systems that authenticate to the Cato Cloud based on the certificate.
The Device Authentication section shows the signing certificates (Root CA and the intermediate CA) that you uploaded to the Cato Management Application. All uploaded certificates are first verified that they are valid and then they are added to the account.
For accounts with more than one signing certificate, the device authenticates with the first certificate that matches the signing certificate.
To upload a signing certificate to your account:
-
From the navigation menu, click Access > Client Access.
-
Expand the Device Authentication section.
-
In the Device certificates section, click New.
The Add Certificate panel opens.
-
Enter a Name for the certificate.
-
Click Upload Certificate.
-
Browse to the directory with the signing certificate and click Open. The certificate is added to your account.
-
Select the certificate and click Open. The certificate is added.
-
Click Save. The signed certificate is saved to your account.
You can upload a maximum of five certificates for your account.
Select one or more operating systems that require a device certificate to connect to your account with the Cato Client. This is the default global setting for the account and it applies to all devices and computers for that operating system.
You can choose to override this setting for specific users, see below Configuring Device Authentication Settings for Users.
To define the operating systems that require a certificate to connect to the Cato Cloud:
-
From the navigation menu, click Access > Client Access.
-
Expand the Device Authentication section.
-
In Operating systems that require a certificate, start typing or select the operating systems that require a device certificate.
-
Click Save.
You can disable, re-enable, or delete signing certificates that are no longer used for your account.
The Device Authentication section in the Global Settings lets you block remote access to your account for specific VPN Client operating system. When the device or computer tries to use the Client to connect to your account, the PoP in the Cato Cloud blocks the connection.
You can override the default settings for blocked operating systems and required device certificates for specific users. When you configure the Device Authentication settings for a user, the default settings are ignored.
You must upload the signing certificate to the Cato Management Application before you can require a device certificate for a user, see above Uploading the Certificate to the Cato Management Application.
To configure the Device Authentication settings for a user:
-
From the navigation menu, click Access > Users and select a user.
-
From the navigation menu, click User Settings > Device Authentication.
-
Select Override account Device Authentication settings.
-
In Blocked operating systems, configure the operating systems that are blocked for this user. If no blocked operating systems are selected, this user can use any Client operating system to connect to the account.
-
In Operating systems that require a certificate, configure the operating systems that require a certificate. If no operating systems are selected, then this user doesn't require a signing certificate to connect to your account.
-
Click Save. The Device Authentication settings are configured for the user.
Cato lets you upload the public keys of the corporate's trusted certificates to your account in the Cato Management Application. If a public key has expired, the PoP allows the connection only if the authority signed the device certificate before it has expired.
-
The red icon on the right side of the certificate indicates on an expired certificate.
-
The yellow warning icon indicates on a certificate that is about to expire within the next 30 days.
Cato generates alerts for an expiring public key:
-
30 days before the public key is going to expire
-
On the expiration date for the certificate
For the device certificates, Cato doesn’t allow a Client to connect with an expired certificate. If a user tries to connect with an expired device certificate, the Client notifies the PoP that the certificate has expired, and the connection is blocked.
The PoP verifies that the certificate is valid and then permits the connection for Clients.
The Event Discovery window shows these events with the certificate expiration date.
The Events screen (Monitoring > Events) helps you monitor the events for expired certificates. When the Cato Client successfully connects with a device certificate, Cato generates an event with the following information:
-
Client Cert Name – the device certificate name used for the connection
-
Client Cert Expires – the expiration date of the device certificate
For failed connection events, the failure reason is described in the event message. Connection failures can be caused by a bad issuer or an expired certificate.
The Events screen provides two new event filter presets to help you monitor Device Authentication:
-
Client certificate about to expire
-
Client authentication issue
1. The Client certificate about to expire filter
You can select this preset to show all the successful connection events that are related to a device certificate that is about to expire within the next 30 days.
Note: Cato doesn’t generate a separate event for certificates that are about to expire.
The following screenshot shows a sample of the Event Discovery window when the Client certificate about to expire is applied:
2. The SDP authentication issue filter
This preset is not specifically for connecting with device certificate-based authentication, it shows all the failed connection events.
The following screenshot shows a sample of the Event screen when the SDP authentication issue filter is applied:
1 comment
How can we validate that a client has successfully connected via device authentication with a specific certificate?
Please sign in to leave a comment.