USG60 - Device certificate authentication ?

ChrisGer
ChrisGer Posts: 205  Ally Member
First Anniversary Friend Collector First Answer First Comment
edited April 2021 in Security
Hi Community,
i'm planing to extend the authentication by implementing a self-signed certificate on every device (internal 2 tire-ca). Authentication require the certificaate before grand access to the network.
Is this possible trough a Mesh AP Group with an USG60W ?

Thx forward
Chris

All Replies

  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,366  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer

    Hi @ChristianG

    For authenticating client certificate, you can generate/purchase certificate by third party certification.

    After imported certificate chain, you can change HTTPS certificate which you imported.


    And enable “Authenticate Client Certificates” function to auth client certificate.

    Before enable Auth-client function, you must to import certificate into PC. (Local Host > personal & trusted root certificate authority)

    Then PC will able display login page if imported certificate successfully.

     

    For user authority, you can enable Web Authentication function.


    Before user access to internet, it will force redirect to login page first.

    After entered username & password then user will able access to internet.

     

    If you would like to auth client before access to internet, Web Authentication should enough.

    Because some of OS may unable import certificate, and it may leads login page unable display successfully.

  • ChrisGer
    ChrisGer Posts: 205  Ally Member
    First Anniversary Friend Collector First Answer First Comment
    sorry for this delay during covid19  :'( and thanks for your reply !

    The planed PKI is based on an private 2-tire PKI that service certificates based on client (no user) certificates.

    The "enable Auth-client function" is ckecking the certificate from every device that would get connected befor the DHCP is serving the IP ? also for WLAN devices ?

    Backup of USG60W config is existing ;) 
    If the Certificate is not working, the device require a factory default reset an import the backup ?

    Thx forward
    Chris
  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,366  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer

    Hi @ChristianG  

    The Auth client function will check client certificate before access to device Login page. (not DHCP)

    If the client doesn’t have the certificate, he will not see the login page.(then user will unable to do user authentication)

    You can enter these command by console or SSH to disable Auth-client certificate function.

    Router# configure terminal
    Router(config)# no ip http secure-server auth-client
    Router(config)# write

  • ChrisGer
    ChrisGer Posts: 205  Ally Member
    First Anniversary Friend Collector First Answer First Comment
    and is the certificate check (Client certificate) also in the background possible ?
    e.g. if client-certificate is not revoced, the device get access to the LAN-Zone ?

    thx and regards
    Christian

  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,366  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer

    Hi @ChristianG
    When Web Authentication function is enabled, the device will pop up a login page to authenticate the user.

    If the client does not have the certificate, the pop up page will not be displayed successfully.

    Then client traffic won’t pass to others subnets. (however, the broadcast traffic still will be passed through)

Security Highlight