Client certificate authentication
Certificate authentication is available for use with mobile and other personal devices.
When client certificate authentication is enabled, unauthenticated users are redirected to an HTTPS page where they are prompted to select the certificate to send to Content Gateway. The user is considered authenticated if the certificate is signed by a trusted Certificate Authority (CA). The user name is extracted from the appropriate certificate field.
Client certificate authentication can also be configured to fall back to the domains list and Captive Portal for authentication. Users who cannot be authenticated using a certificate will then be authenticated using a different method.
Used with rule-based authentication, this feature is configured for each proxy and:
- Supports basic, LDAP, NTLM, and IWA authentication.
If the fallback option is enabled, however, and Captive Portal is enabled for fallback, the Captive Portal limitations apply. See Authentication using Captive Portal.
- Supports credential and cookie caching.
- Requires a Client Certification Authentication Profile that explains where to extract user names from the certificates and includes a list of the CA Certificates valid for use by clients.
- Requires enabling SSL decryption.
Access to HTTPS sites are not authenticated if HTTPS is not enabled on the
page.