Controlling Certified Corporate Devices (Device Authentication)

This feature is not available for accounts created after April 14, 2024. To control certified corporate devices, use the enhanced functionality of the Client Connectivity Policy.

Handling Expired Certificates

On the Access > Client Access > Signing certificates page, Cato lets you upload the public keys of the corporate's trusted certificates to your account in the Cato Management Application. If a public key has expired, the PoP allows the connection only if the authority signed the device certificate before it has expired.

  • The red icon on the right side of the certificate indicates on an expired certificate.

  • The yellow warning icon indicates on a certificate that is about to expire within the next 30 days.

Cato generates alerts for an expiring public key:

  • 30 days before the public key is going to expire

  • On the expiration date for the certificate

For the device certificates, Cato doesn’t allow a Client to connect with an expired certificate. If a user tries to connect with an expired device certificate, the Client notifies the PoP that the certificate has expired, and the connection is blocked.

The PoP verifies that the certificate is valid and then permits the connection for Clients.

The Event Discovery window shows these events with the certificate expiration date.

Analyzing Certificate Events

The Events screen (Home > Events) helps you monitor the events for expired certificates. When the Cato Client successfully connects with a device certificate, Cato generates an event with the following information:

  • Client Cert Name – the device certificate name used for the connection

  • Client Cert Expires – the expiration date of the device certificate

For failed connection events, the failure reason is described in the event message. Connection failures can be caused by a bad issuer or an expired certificate.

Filtering Events with Predefined Filters

The Events screen provides two new event filter presets to help you monitor Device Authentication:

  1. Client certificate about to expire

  2. Client authentication issue

1. The Client certificate about to expire filter

You can select this preset to show all the successful connection events that are related to a device certificate that is about to expire within the next 30 days.

Note: Cato doesn’t generate a separate event for certificates that are about to expire.

The following screenshot shows a sample of the Event Discovery window when the Client certificate about to expire is applied:

04_expired.png

2. The SDP authentication issue filter

This preset is not specifically for connecting with device certificate-based authentication, it shows all the failed connection events.

The following screenshot shows a sample of the Event screen when the SDP authentication issue filter is applied:

05_ED.png

Was this article helpful?

3 out of 3 found this helpful

1 comment

  • Comment author
    Permanently deleted user

    How can we validate that a client has successfully connected via device authentication with a specific certificate?

Add your comment