Configure client certificate authentication for browser-based user authentication

In environments that require multi-factor user authentication, you can configure certificate-based authentication using X.509 certificates for browser-based user authentication.

Before you begin

Before configuring client certificate authentication, configure the following:

  • Integrate an external Active Directory server or LDAP server with the SMC.
  • Enable browser-based user authentication.

Users can authenticate to the firewall using an X.509 certificate stored on their computers or on a smart card, such as a Common Access Card (CAC). The NGFW Engine verifies that the certificate is valid and that the value configured to be checked in certificate matches the value for the user in the LDAP server.

Note: Enabling client certificate authentication prevents the use of user password authentication in the same user session.

For more details about the product and how to configure features, click Help or press F1.

Steps

  1. Create a TLS Profile element that defines the trusted certificate authority for the users' certificates.
    Only users whose certificates are signed by the trusted certificate authority can successfully authenticate using client certificates.
    1. Select Configuration, then browse to Administration.
    2. Browse to Certificates > Other Elements > TLS Profiles
    3. Right-click TLS Profiles, then select New TLS Profile.
    4. In the Trusted Certificate Authorities section, select Trust Selected, then click Add to specify the trusted certificate authorities that sign the users' client certificates.
    5. Configure the other settings as needed, then click OK.
  2. Configure client certificate authentication on the Firewall.
    1. Right-click an NGFW Engine, then select Edit <element type>.
    2. Browse to Add-Ons > User Authentication.
    3. Next to the TLS Profile field, click Select, then select the TLS Profile element that you created.
    4. Browse to Advanced > Authentication.
    5. From the Client Certificate Identity Field for TLS drop-down list, select the client certificate field that is used to look up the user entry from the user domain.
    6. Configure the other advanced options as needed, then click Save.
  3. If you selected Distinguished Name as the Client Certificate Identity Field for TLS, configure the Active Directory Server or LDAP Server element for client certificate authentication.
    1. Select Configuration, then browse to User Authentication.
    2. Browse to Servers.
    3. Right-click the LDAP Server or Active Directory Server element, then select Properties.
    4. On the Client Certificate tab, enter the name of the value in the distinguished name that is checked to verify the client identity.
      The supported values are CN, email, and UID.
    5. Make sure that the value of the UserId field on the Attributes tab matches the attribute that contains the specified user information.
      • CN — The value of the UserId field on the Attributes tab must be CN.
      • email — The value of the E-mail field on the Attributes tab must match the attribute that contains the user's email address.
      • UID — The value of the UserId field on the Attributes tab match the attribute that contains the user's UID.
    6. Click OK.
  4. Enable client certificate authentication on the Firewall.
    1. Right-click an NGFW Engine, then select Edit <element type>.
    2. Browse to Add-Ons > User Authentication.
    3. Next to the TLS Profile field, click Select, then select the TLS Profile element that you created.
    4. Click Save and Refresh.

TLS Profile Properties dialog box

Use this dialog box to define a TLS profile for enabling TLS protection for traffic to and from external components.

Option Definition
Name The name of the element.
TLS Cryptography Suite Set The cryptographic suite for TLS connections.
Trusted Certificate Authorities

Specifies which certificate authorities to trust.

  • Trust any
  • Trust selected

Click Add to add an element to the list, or Remove to remove the selected element.

Version The TLS version used.
Use Only Subject Alt Name

(Optional)

Uses only Subject Alternative Name (SAN) certificate matching.
Accept Wildcard Certificate

(Optional)

Allows the use of wildcards in certificate matching.
Check Revocation

(Optional)

Checks against certificate revocation lists (CRLs) whether the certificate has been revoked. The certificate must be signed by a valid certificate authority.
Delay CRL Fetching For

(Optional, NGFW Engine only)

The time interval for the NGFW Engine to fetch the CRL. If the CRL expires sooner than the specified interval, the CRL expiration value defines the interval for fetching the CRL.

This setting is ignored when the TLS Profile element is used for a Management Server or a Log Server.

Ignore OCSP Failures For

(Optional, NGFW Engine only)

The number of hours for which the NGFW Engine ignores OCSP failures.

This setting is ignored when the TLS Profile element is used for a Management Server or a Log Server.

Ignore Revocation Check Failures if There Are Connectivity Problems

(Optional, NGFW Engine only)

When selected, the NGFW Engine ignores all CRL check failures if connectivity problems are detected.

This setting is ignored when the TLS Profile element is used for a Management Server or a Log Server.

Category

(Optional)

Includes the element in predefined categories. Click Select to select a category.
Comment

(Optional)

A comment for your own reference.

Active Directory Server Properties dialog box

Use this dialog box to define Active Directory Server properties.

Option Definition
General tab
Name The name of the element.
IP Address

Specifies the server IP address.

IPv4 addresses, IPv6 addresses, and fully qualified domain names (FQDNs) are supported. You can enter only one IPv4, IPv6 or FQDN as the IP address.

Resolve Automatically resolves the IP address of the server.
Location A Location is needed if NAT is applied between a Firewall or Management Server and the Active Directory server.
Contact Addresses
  • Default — Used by default whenever a component that belongs to another Location connects to this server.
  • Exceptions — Opens the Exceptions dialog box.
LDAP Protocol

Specifies the LDAP protocol that is used for the LDAP connection.

  • LDAP — The LDAP is used without encryption.
  • LDAPS — The LDAPS protocol is used for encryption.
  • Start TLS — Start TLS is used for encryption.
LDAP Port

(Optional)

Specifies the port number if the server communicates on a port other than the default TCP 389 port. The predefined Firewall Template allows the engines to connect to the default port. If you change to a custom port, you must add an Access rule to allow the traffic.
Timeout Specifies the time (in seconds) that SMC components wait for the server to reply.
TLS Profile

(When the LDAP Protocol is LDAPS or Start TLS)

Specifies the settings for cryptography, trusted certificate authorities, and the TLS version used in TLS-protected traffic.

Click Select to select a TLS Profile element.

TLS Server Identity

(When the LDAP Protocol is LDAPS or Start TLS)

Determines how the identity of the LDAP server is verified.
  • Edit — Opens the TLS Server Identity dialog box.
  • Remove — Removes the configured TLS Server Identify.
Base DN Enter the LDAP tree under which the authenticating users accounts are stored.

Example: (DNS-based tree)

dc=example,dc=com

Example: ("O-based" tree used, for example, in Novell eDirectory)

ou=astronauts,o=government,st=Florida,c=US

Anonymous

(Optional)

When selected, allows NGFW Engines and Management Servers to connect to the LDAP server without a user name and password.

When the option is selected, the Bind User ID and Bind Password options are not available.

Bind User ID Define the Distinguished Name of the User ID that the Firewalls and Management Servers use to connect to the server. This user account must exist in the user database. Make sure the account you use has the permissions to manage other user accounts.

Example: (DNS-based tree)

uid=ExampleOrganization,ou=Administrators,dc=example,dc=com

Example: ("O-based" tree used, for example, in Novell eDirectory)

uid=ExampleOrganization,ou=Administrators,ou=astronauts, o=government,st=Florida,c=US

Bind Password Specifies the password for the user account that the Firewalls and Management Servers use to connect to the server. By default, passwords and keys are not shown in plain text. To show the password or key, deselect the Hide option.
Category

(Optional)

Includes the element in predefined categories. Click Select to select a category.
Tools Profile Adds commands to the element right-click menu.Click Select to select an element.
Comment

(Optional)

A comment for your own reference.
Check Connectivity Tests connectivity to the Active Directory Server.
Option Definition
Object Classes tab
User ObjectClass Allows you to add user objectclasses manually.

If your Active Directory server has Active Directory server user object classes that are not defined in the SMC by default, you must add those object classes to the Active Directory Server Object classes in the server properties. This way, the existing classes on the LDAP server can also be used for authentication.

Add Adds the user objectclass name to the list of available classes.
Remove Removes the user objectclass name from the list of available classes.
Group ObjectClass Allows you to add group objectclasses manually.

If your Active Directory server has Active Directory group object classes that are not defined in the SMC by default, you must add those object classes to the Active Directory Object classes in the server properties. This way, the existing classes on the Active Directory server can also be used for authentication.

Add Adds the group objectclass name to the list of available classes.
Remove Removes the group objectclass name to the list of available classes.
Option Definition
Attributes tab
Schema
  • Standard — Select if you are using the external LDAP directory server’s standard schema files.
  • Updated — Select if you have extended the schema file to include SMC-specific attributes.
UserId Specifies the name of the attribute that is used as the UserID. This attribute can be used to identify users by their UserID in certificate authentication.
Group Member Specifies the name that the server uses for the Group Member Attribute.

The default value is member for standard schema, and sgMember for updated schema.

Authentication

(Updated Schema only)

Specifies the Authentication Attribute for storing the authentication method information.

The default value is sgauth.

Display Name

(Updated Schema only)

Specifies the name that the server uses for the Display Name attribute.
E-mail

(Updated Schema only)

Specifies the name of the attribute that is used for storing user email addresses. This attribute can be used to identify users by their email address in certificate authentication.
User Principal Name (UPN) Specifies the name of the attribute for storing the user principal name. This attribute can be used to identify users by their user principal name in certificate authentication.
Mobile

(Updated Schema only)

Specifies the name of the attribute for storing user mobile phone numbers.
Framed IP This option is included for backward compatibility with legacy NGFW software versions.
Password Method Password Specifies the name of the password attribute for the Password Authentication Method.
Mobile Text Method Password Specifies the name of the password attribute for the Mobile Text Authentication Method.
Mobile ID Challenge Method PIN Specifies the name of the PIN attribute for the Mobile ID Challenge Authentication Method.
Mobile ID Synchronized Method PIN Specifies the name of the PIN attribute for the Mobile ID Synchronized Authentication Method.
Option Definition
Client Certificate tab
User Search for Client Certificate Authentication Specifies the name of the value in the distinguished name that is checked to verify the client identity.

The following values are supported:

  • CN — The client identity is checked against the UserId attribute specified for the server. The value of the UserId field on the Attributes tab must match the attribute that contains the user's common name.
  • email — The client identity is checked against the E-mail attribute specified for the server. The value of the E-mail field on the Attributes tab must match the attribute that contains the user's email address.
  • UID — The client identity is checked against the UserId attribute specified for the server. The value of the UserId field on the Attributes tab match the attribute that contains the user's UID.
Option Definition
Authentication tab
User Network Policy Server Method (NPS) When selected, uses the Windows server IAS/NPS.
Port Number Specifies the port for your Windows server IAS/NPS.
Shared Secret Specifies the shared secret defined for RADIUS clients on the Active Directory server. By default, passwords and keys are not shown in plain text. To show the password or key, deselect the Hide option.
Number of Retries If an SMC component's attempts to connect to the Active Directory server fails, specifies the number of times it tries to connect again before giving up on the authentication.
IP Address

(Optional)

Specifies the IP address for authentication when the authentication service on the Active Directory server uses a different IP address than the server itself.
Authentication Methods Specifies the supported authentication methods for the Active Directory Server.

Click Add to select authentication methods.

Note: The User password authentication method requires you to update the schema with SMC-specific attributes. Alternatively, you can use the LDAP Authentication authentication method to authenticate users using user names and passwords stored in the external LDAP database without updating the schema.
Note: If you use the Active Directory Server with the Integrated User ID Service for user identification, the supported authentication methods are User Password and LDAP Authentication.
Remove Removes the selected elements from the External Authentication Methods list.
Option Definition
Advanced tab
Secondary IP Addresses

Allows you to specify any additional device IP addresses. You can enter the additional IP addresses here instead of creating additional elements for the other IP addresses. The secondary IP addresses are valid in policies and in routing and antispoofing. You can add several IPv4 and IPv6addresses (one at a time).

  • Add — Adds a row to the table.
  • Remove — Removes the selected IP address from the list.
Timeout The time (in seconds) that SMC Components wait for the server to reply.
Max Entries The maximum number of LDAP entries that are returned in an LDAP response.
No Limit Deselect to specify the maximum number of LDAP entries returned.
Page Size

(Optional)

The maximum number of LDAP entries that are returned on each page of the LDAP response.
No Pages Deselect to specify the maximum number of LDAP entries returned on each page.
Option Definition
Monitored Servers tab
Server Type The type of server from which the Integrated User ID Service receives information about users' IP addresses. The Active Directory server can receive information from Domain Controller servers and Exchange Servers.
IP Address The IP address of the Domain Controller server or Exchange Server. Both IPv4 and IPv6 addresses are supported.
User

The user name of a user in the domain that has permission to execute WMI queries from a remote computer.

Note: Enter only the user name without any domain information. The domain information is automatically added to the user name.
Password The password for the user account with Domain Admin credentials.
Add Adds a row to the table. Allows you to define a Domain Controller server or an Exchange Server.
Edit Allows you to edit the settings of the selected server.
Remove Removes the selected row from the table.
Option Definition
Monitoring tab
Log Server The Log Server that monitors the status of the element.
Status Monitoring When selected, activates status monitoring for the device. You must also select the Probing Profile that contains the definitions for the monitoring. When you select Status Monitoring, the element is added to the tree in the Dashboard view.
Probing Profile Shows the name of the selected Probing Profile. Click Select to select a Probing Profile element.
Log Reception Activates syslog reception from this device. You must select the Logging Profile that contains the definitions for converting the syslog entries to SMC log entries. You must also select the Time Zone in which the device is located. By default, the local time zone of the computer you are using is selected.
Logging Profile Shows the name of the selected Logging Profile. Click Select to select a Logging Profile element.
Time Zone Selects the time zone for the logs.
Encoding Selects the character set for log files.
SNMP Trap Reception Enables the reception of SNMP traps from the third-party device.
NetFlow Reception Enables the reception of NetFlow data from the third-party device. The supported versions are NetFlow v5, NetFlow v9, and IPFIX (NetFlow v10).
Option Definition
NAT tab

(All optional settings)

Firewall Shows the selected firewall.
NAT Type Shows the NAT translation type: Static or Dynamic.
Private IP Address Shows the Private IP Address.
Public IP Address Shows the defined Public IP Address.
Port Filter Shows the selected Port Filters.
Comment An optional comment for your own reference.
Add NAT Definition Opens the NAT Definition Properties dialog box.
Edit NAT Definition Opens the NAT Definition Properties dialog box for the selected definition.
Remove NAT Definition Removes the selected NAT definition from the list.

LDAP Server Properties dialog box

Use this dialog box to define Lightweight Directory Access Protocol (LDAP) Server properties.

Option Definition
General tab
Name The name of the element.
IP Address

Specifies the server IP address.

IPv4 addresses, IPv6 addresses, and fully qualified domain names (FQDNs) are supported. You can enter only one IPv4, IPv6 or FQDN as the IP address.

Resolve Automatically resolves the IP address of the server.
Location Specifies the location for the server if there is a NAT device between the server and other SMC components.
Contact Addresses
  • Default — Used by default whenever a component that belongs to another Location connects to this server.
  • Exceptions — Opens the Exceptions dialog box.
LDAP Protocol

Specifies the LDAP protocol that is used for the LDAP connection.

  • LDAP — The LDAP is used without encryption.
  • LDAPS — The LDAPS protocol is used for encryption.
  • Start TLS — Start TLS is used for encryption.
LDAP Port

(Optional)

The port number if the server communicates on a port other than the default port (TCP port 389). The predefined Firewall Template allows the engines to connect to the default port. If you change to a custom port, you must add a Access rule to allow the traffic.
TLS Profile

(When the LDAP Protocol is LDAPS or Start TLS)

Specifies the settings for cryptography, trusted certificate authorities, and the TLS version used in TLS-protected traffic.

Click Select to select a TLS Profile element.

TLS Server Identity

(When the LDAP Protocol is LDAPS or Start TLS)

Determines how the identity of the LDAP server is verified.
  • Edit — Opens the TLS Server Identity dialog box.
  • Remove — Removes the configured TLS Server Identify.
Base DN The LDAP tree under which the authenticating users’ accounts are stored.

Example (DNS-based tree):

dc=example,dc=com

Example (“O-based” tree used, for example, in Novell eDirectory):

ou=astronauts,o=government,st=Florida,c=US

Anonymous

(Optional)

When selected, allows NGFW Engines and Management Servers to connect to the LDAP server without a user name and password.

When the option is selected, the Bind User ID and Bind Password options are not available.

Bind User ID The Distinguished Name of the User ID that the NGFW Engines and Management Servers use to connect to the server. This user account must exist in the user database. Make sure the account you use has the privileges to manage other user accounts.

Example (DNS-based tree):

uid=ExampleOrganization,ou=Administrators,dc=example,dc=com

Example (“O-based” tree used, for example, in Novell eDirectory):

uid=ExampleOrganization,ou=Administrators,ou=astronauts,

o=government,st=Florida,c=US

Bind Password The password for the user account that the Firewalls and Management Servers use to connect to the server. By default, passwords and keys are not shown in plain text. To show the password or key, deselect the Hide option.
Category

(Optional)

Includes the element in predefined categories. Click Select to select a category.
Tools Profile Adds commands to the element right-click menu.Click Select to select an element.
Comment

(Optional)

A comment for your own reference.
Check Connectivity Tests connectivity to the LDAP Server.
Option Definition
Object Classes tab
User ObjectClass Allows you to add user objectclasses manually.

If your LDAP server has LDAP user object classes that are not defined in the SMC by default, you must add those object classes to the LDAP Object classes in the server properties. This way, the existing classes on the LDAP server can also be used for authentication.

Add Adds the user objectclass name to the list of available classes.
Remove Removes the user objectclass name to the list of available classes.
Group ObjectClass Allows you to add group objectclasses manually.

If your LDAP server has LDAP group object classes that are not defined in the SMC by default, you must add those object classes to the LDAP Object classes in the server properties. This way, the existing classes on the LDAP server can also be used for authentication.

Add Adds the group objectclass name to the list of available classes.
Remove Removes the group objectclass name to the list of available classes.
Option Definition
Attributes tab
Schema
  • Standard — Select if you are using the external LDAP directory server’s standard schema files.
  • Updated — Select if you have extended the schema file to include SMC-specific attributes.
UserId Specifies the name of the attribute that is used as the UserID. This attribute can be used to identify users by their UserID in certificate authentication.
Group Member The name that the server uses for the Group Member Attribute. By default, the attribute is set to member for standard schema, and sgMember for updated schema.
Authentication

(Updated Schema only)

The Authentication Attribute for storing the authentication method information. By default, the attribute is set to sgauth.
Display Name Specifies the name that the server uses for the Display Name attribute.
E-mail Specifies the name of the attribute that is used for storing user email addresses. This attribute can be used to identify users by their email address in certificate authentication.
User Principal Name (UPN) Specifies the name of the attribute for storing the user principal name. This attribute can be used to identify users by their user principal name in certificate authentication.
Mobile Specifies the name of the attribute for storing user mobile phone numbers.
Framed IP This option is included for backward compatibility with legacy NGFW software versions.
Password Method Password The name of the password attribute for the Password Authentication Method.
Mobile Text Method Password The name of the password attribute for the Mobile Text Authentication Method.
Mobile ID Challenge Method PIN The name of the PIN attribute for the Mobile ID Challenge Authentication Method.
Mobile ID Synchronized Method PIN The name of the PIN attribute for the Mobile ID Synchronized Authentication Method.
Option Definition
Client Certificate tab
User Search for Client Certificate Authentication Specifies the name of the value in the distinguished name that is checked to verify the client identity.

The following values are supported:

  • CN — The client identity is checked against the UserId attribute specified for the server. The value of the UserId field on the Attributes tab must match the attribute that contains the user's common name.
  • email — The client identity is checked against the E-mail attribute specified for the server. The value of the E-mail field on the Attributes tab must match the attribute that contains the user's email address.
  • UID — The client identity is checked against the UserId attribute specified for the server. The value of the UserId field on the Attributes tab match the attribute that contains the user's UID.
Option Definition
Authentication tab
Authentication Methods Specifies the supported authentication methods for the LDAP Server.

Click Add to select authentication methods.

Note: The User password authentication method requires you to update the schema with SMC-specific attributes. Alternatively, you can use the LDAP Authentication authentication method to authenticate users using user names and passwords stored in the external LDAP database without updating the schema.
Remove Removes the selected authentication method.
Option Definition
Advanced tab
Secondary IP Addresses

Allows you to specify any additional device IP addresses. You can enter the additional IP addresses here instead of creating additional elements for the other IP addresses. The secondary IP addresses are valid in policies and in routing and antispoofing. You can add several IPv4 and IPv6addresses (one at a time).

  • Add — Adds a row to the table.
  • Remove — Removes the selected IP address from the list.
Timeout The time (in seconds) that SMC Components wait for the server to reply.
Max Entries The maximum number of LDAP entries that are returned in an LDAP response.
No Limit Deselect to specify the maximum number of LDAP entries returned.
Page Size

(Optional)

The maximum number of LDAP entries that are returned on each page of the LDAP response.
No Pages Deselect to specify the maximum number of LDAP entries returned on each page.
Option Definition
Monitoring tab
Log Server The Log Server that monitors the status of the element.
Status Monitoring When selected, activates status monitoring for the device. You must also select the Probing Profile that contains the definitions for the monitoring. When you select Status Monitoring, the element is added to the tree in the Dashboard view.
Probing Profile Shows the name of the selected Probing Profile. Click Select to select a Probing Profile element.
Log Reception Activates syslog reception from this device. You must select the Logging Profile that contains the definitions for converting the syslog entries to SMC log entries. You must also select the Time Zone in which the device is located. By default, the local time zone of the computer you are using is selected.
Logging Profile Shows the name of the selected Logging Profile. Click Select to select a Logging Profile element.
Time Zone Selects the time zone for the logs.
Encoding Selects the character set for log files.
SNMP Trap Reception Enables the reception of SNMP traps from the third-party device.
NetFlow Reception Enables the reception of NetFlow data from the third-party device. The supported versions are NetFlow v5, NetFlow v9, and IPFIX (NetFlow v10).
Option Definition
NAT tab

(All optional settings)

Firewall Shows the selected firewall.
NAT Type Shows the NAT translation type: Static or Dynamic.
Private IP Address Shows the Private IP Address.
Public IP Address Shows the defined Public IP Address.
Port Filter Shows the selected Port Filters.
Comment An optional comment for your own reference.
Add NAT Definition Opens the NAT Definition Properties dialog box.
Edit NAT Definition Opens the NAT Definition Properties dialog box for the selected definition.
Remove NAT Definition Removes the selected NAT definition from the list.

Engine Editor > Add-Ons > User Authentication

Use this branch to enable user authentication. You can configure authentication using HTTP connections or encrypted HTTPS connections.

Option Definition
Authentication Time-Out Defines the length of time after which authentication expires and users must re-authenticate.
Authentication Idle Time-Out Defines an idle timeout for user authentication. If there have been no new connections within the specified time limit after the closing of a user's previous connection, the user is removed from the list of authenticated users.
HTTP When selected, allows authentication using plain HTTP connections. Change the Port number if you want to use a different port for the authentication interface. The default port is 80.
HTTPS When selected, allows authentication using encrypted HTTPS connections. Change the Port number if you want to use a different port for the authentication interface. The default port is 443.

This option is required for client certificate authentication.

HTTPS Settings Opens the Browser-Based User Authentication HTTPS Configuration dialog box.
TLS Profile The TLS Profile element that defines TLS settings for HTTPS connections for authentication, and the trusted certificate authority for client certificate authentication. Click Select to select an element.

This option is required for client certificate authentication.

Use Client Certificates for Authentication When selected, the NGFW Engine allows users to authenticate using X.509 certificates. Client certificate authentication is supported for browser-based user authentication.
Always Use HTTPS When selected, redirects connections to the HTTPS port and enforces the use of HTTPS if the NGFW Engine also listens on other ports.
Listen on Interfaces Restricts the interfaces that users can authenticate through.
  • All — Users can authenticate through all interfaces.
  • Selected — Users can only authenticate through the selected interfaces.
User Authentication Page Select the User Authentication Page element that defines the look of the logon, challenge, re-authentication, and status page shown to end users when they authenticate.
Enable Session Handling

(Optional)

When selected, enables cookie-based strict session handling.
Note: When Enable Session Handling is selected, the Authentication Idle Time-Out option is not available. The Refresh Status Page Every option defines the authentication timeout.
Refresh Status Page Every

(Optional)

Defines how often the status page is automatically refreshed. When Enable Session Handling is selected, defines the authentication timeout.

Engine Editor > Advanced Settings > Authentication

Use this branch to configure advanced settings for user authentication.

Option Definition
Default User Domain The default LDAP domain from which the NGFW Engine looks up users.
Note: This setting applies to all user authentication, including browser-based user authentication, VPN clients, and the SSL VPN Portal.
Allow user lookup from known User Domain matching to client certificate email domain or UPN suffix When selected, the NGFW Engine looks up the user from the domain specified in the email address or user principal name before looking up the user in the default domain.
Note: This option is ignored when the value of the Client Certificate Identity Field for TLS option is Distinguished Name.
Client Certificate Identity Field for TLS The attribute that is used to look up the user entry from the user domain when using TLS. The NGFW Engine only uses values from the Active Directory or LDAP server that is associated with the global default LDAP domain or the engine-specific default user domain.
  • User Principal Name — The User Principal Name attribute on the Attributes tab of the Active Directory Server or LDAP Server element is used.
  • Email — The E-mail attribute on the Attributes tab of the Active Directory Server or LDAP Server element is used.
  • Distinguished Name — The specified value in the distinguished name is used.
    Note: If you select Distinguished Name, you must specify the identity search value on the Client Certificate tab of the Active Directory Server or the LDAP Server Properties dialog box.