Authenticate administrators using certificate-based authentication

You can authenticate administrators using an X.509 certificate stored in the Windows certificate store or on a smart card, such as a Common Access Card (CAC).

Before you begin

To use smart cards for authentication, you must have smart card reader hardware and software.

To use certificate files for authentication, you must save the certificates in the Windows certificate store.

Certificate-based authentication is only supported for Management Clients installed in Windows 10. Certificate-based authentication is not supported for Web Portal Users.

  For more details about the product and how to configure features, click Help or press F1.

Steps

  1. Configure the Management Server for certificate-based authentication.
    1. Select Configuration, then browse to Network Elements.
    2. Select Network Elements > Servers.
    3. Right-click the Management Server, then select Properties.
    4. Next to the TLS Credentials field, click Select, then select a TLS Credentials element.
    5. Next to the TLS Profile field, click Select, then select a TLS Profile element.
      The TLS Profile element defines the cryptographic suite for TLS connections, the trusted certificate authorities, options for certificate matching, and whether certificates are checked against certificate revocation lists.
    6. Click OK.
  2. In the properties of each Administrator, configure certificate-based authentication.
    1. Select Configuration, then browse to Administration.
    2. Select Access Rights > Administrators.
    3. Right-click an Administrator element, then select Properties.
    4. From the Authentication drop-down list, select Client Certificate.
    5. From the Client Identity Type drop-down list, select the certificate attribute that is used to identify the administrator.
    6. Specify the value of the certificate attribute in one of the following ways:
      • In the Identity Value field, enter the value of the certificate attribute.
      • Click Fetch From Certificate, then import the certificate to get the value from the certificate.
    7. Click OK.
  3. Export certificate from the TLS Credentials element that is used by the Management Server, then import the certificate on each administrator's computer and configure the operating system to trust the certificate.
    Alternatively, you can sign the certificate request for the Management Server using a CA that is already trusted by the administrators' client operating systems.