Cato Networks Knowledge Base

Search

Controlling Certified Corporate Devices (Device Authentication)

This article explains how to use Device Authentication to control which physical devices are allowed to use the Cato Client to connect to your account.

Overview of Device Authentication

Users can install the Cato Client on personal and corporate devices and use it to connect to the account. Using Device Authentication, you can restrict remote access on devices based on specific certificates. A computer or device can only connect to the Cato Cloud if this certificate is installed. When this certificate is not installed, the computer or device can't authenticate and access is blocked.

You can also choose to block all devices based on the operating system.

Note

Notes:

  • Only PEM certificates are supported.

  • You can upload a maximum of five certificates for your account.

  • The maximum supported file size for a certificate is 4096 bytes.

Device Authentication Workflow

This section is a sample high-level workflow for a device that attempts to authenticate to a PoP in the Cato Cloud. This sample account is configured to only require device certificates for the Windows operating system.

  1. The signing certificate for the corporate devices is uploaded to the Cato Management Application.

  2. A Windows computer uses the Cato Client to attempt to connect to the Cato Cloud.

  3. The Client verifies that the device certificate on the computer is valid.

  4. The PoP asks the Client to authenticate based on the certificate.

  5. The PoP compares the device certificate to the signing certificate for the account.

  6. The certificates match and the computer is allowed to connect to the Cato Cloud.

    If the certificates don't match, then the connection is blocked and the computer can't connect to the Cato Cloud.

Implementing Device Authentication

When you enable Device Authentication for an operating system (for blocking or to require a certificate), we strongly recommend that you make sure that all devices are upgraded to the minimum supported Client version. For earlier (unsupported) Client versions:

  • Windows OS (block or require certificate) - no message is shown to the user, and the Client continuously tries to connect to the VPN

  • macOS, iOS, Android, and Linux (block) - users is shown a message that says this device is blocked from the network (for example, connecting from this OS is forbidden)

  • macOS and iOS (require certificate) - users are shown a message that says the network access is blocked for the device (for example, Access denied)

These operating systems support authentication with a device certificate, with the minimum supported Client version:

  • Windows Client v4.6

  • macOS Client v4.4

  • iOS Client v4.4

For example, a macOS computer has the correct certificate installed and is using macOS Client v4.1 (an unsupported version). Device Authentication is enabled for macOS to require a certificate, the computer can't connect to the VPN and the user sees a message hat says the network access is blocked for the device. The computer can connect to the VPN when it is using the macOS Client v4.4 or higher.

Device Authentication and the Always On Feature

You can't enable Device Authentication to block an OS and the Always On feature for the same Client OS. Before you implement Device Authentication to block an OS, verify that the Always On settings are disabled for the account in the Always On section (Access > Client Access).

Using Certificates to Manage Device Access

Upload signing certificates to the Device Authentication section in the Cato Management Application. You can then define the operating systems that authenticate to the Cato Cloud based on the certificate.

Uploading the Certificate to the Cato Management Application

The Device Authentication section shows the signing certificates (Root CA and the intermediate CA) that you uploaded to the Cato Management Application. All uploaded certificates are first verified that they are valid and then they are added to the account.

uploadcertificate.png

For accounts with more than one signing certificate, the device authenticates with the first certificate that matches the signing certificate.

To upload a signing certificate to your account:

  1. From the navigation menu, click Access > Client Access.

  2. Expand the Device Authentication section.

  3. In the Device certificates section, click New.

    The Add Certificate panel opens.

  4. Enter a Name for the certificate.

  5. Click Upload Certificate.

  6. Browse to the directory with the signing certificate and click Open. The certificate is added to your account.

  7. Select the certificate and click Open. The certificate is added.

  8. Click Save. The signed certificate is saved to your account.

    You can upload a maximum of five certificates for your account.

Defining Operating Systems that Require a Certificate

Select one or more operating systems that require a device certificate to connect to your account with the Cato Client. This is the default global setting for the account and it applies to all devices and computers for that operating system.

You can choose to override this setting for specific users, see below Configuring Device Authentication Settings for Users.

To define the operating systems that require a certificate to connect to the Cato Cloud:

  1. From the navigation menu, click Access > Client Access.

  2. Expand the Device Authentication section.

  3. In Operating systems that require a certificate, start typing or select the operating systems that require a device certificate.

  4. Click Save.

Deleting Certificates

Delete expired and revoked signing certificates that are no longer used for your account.

To delete certificates from Device Authentication:

  1. In the Certificates section, select one or more certificates.

  2. Expand the Device Authentication section.

  3. Click Delete.png. The row with the certificate data is removed.

  4. Click Save. The signing certificate is deleted from your account.

Blocking Remote Access for an Operating System

The Device Authentication section in the Global Settings lets you block remote access to your account for specific VPN Client operating system. When the device or computer tries to use the Client to connect to your account, the PoP in the Cato Cloud blocks the connection.

To block remote access for an operating system:

  1. From the navigation menu, click Access > Client Access.

  2. Expand Device Authentication section.

  3. In the Blocked operating systems section, select the operating systems that are blocked from accessing your account with the Cato Client.

  4. Click Save.

Configuring Device Authentication Settings for Users

You can override the default settings for blocked operating systems and required device certificates for specific users. When you configure the Device Authentication settings for a user, the default settings are ignored.

You must upload the signing certificate to the Cato Management Application before you can require a device certificate for a user, see above Uploading the Certificate to the Cato Management Application.

To configure the Device Authentication settings for a user:

  1. From the navigation menu, click Access > Users and select a user.

  2. From the navigation menu, click User Settings > Device Authentication.

  3. Select Override account Device Authentication settings.

  4. In Blocked operating systems, configure the operating systems that are blocked for this user. If no blocked operating systems are selected, this user can use any Client operating system to connect to the account.

  5. In Operating systems that require a certificate, configure the operating systems that require a certificate. If no operating systems are selected, then this user doesn't require a signing certificate to connect to your account.

  6. Click Save. The Device Authentication settings are configured for the user.

Was this article helpful?

2 out of 2 found this helpful

Comments

1 comment

Date Votes
  • Comment author
    Johann Kriek

    How can we validate that a client has successfully connected via device authentication with a specific certificate?

    2

Please sign in to leave a comment.