You can authenticate administrators using an X.509 certificate stored in the Windows certificate store or on a smart card, such as a
Common Access Card (CAC).
Before you begin
To use smart cards for authentication, you must have smart card reader hardware and software.
To use certificate files for authentication, you must save the certificates in the Windows certificate store.
Certificate-based authentication is only supported for Management Clients installed in Windows 10. Certificate-based authentication is not
supported for Web Portal Users.
For more details about the product and how to configure features, click Help or press F1.
Steps
-
Configure the Management Server for certificate-based authentication.
-
Select
Configuration, then browse to Network Elements.
-
Select .
-
Right-click the Management Server, then select Properties.
-
Next to the TLS Credentials field, click Select, then select a TLS
Credentials element.
-
Next to the TLS Profile field, click Select, then select a TLS Profile
element.
The TLS Profile element defines the cryptographic suite for TLS connections, the trusted certificate authorities,
options for certificate matching, and whether certificates are checked against certificate revocation lists.
-
Click OK.
-
In the properties of each Administrator, configure certificate-based authentication.
-
Select
Configuration, then browse to Administration.
-
Select .
-
Right-click an Administrator element, then select Properties.
-
From the Authentication drop-down list, select Client Certificate.
-
From the Client Identity Type drop-down list, select the certificate attribute that is used to
identify the administrator.
-
Specify the value of the certificate attribute in one of the following ways:
- In the Identity Value field, enter the value of the certificate attribute.
- Click Fetch From Certificate, then import the certificate to get the value from the
certificate.
-
Click OK.
-
Export certificate from the TLS Credentials element that is used by the Management Server, then import the certificate on each
administrator's computer and configure the operating system to trust the certificate.
Alternatively, you can sign the certificate request for the Management Server using a CA that is already trusted by the
administrators' client operating systems.