USG60 - Device certificate authentication ?
Is this possible trough a Mesh AP Group with an USG60W ?
Thx forward
Chris
All Replies
-
Hi @ChristianG
For authenticating client certificate, you can generate/purchase certificate by third party certification.
After imported certificate chain, you can change HTTPS certificate which you imported.
And enable “Authenticate Client Certificates” function to auth client certificate.
Before enable Auth-client function, you must to import certificate into PC. (Local Host > personal & trusted root certificate authority)
Then PC will able display login page if imported certificate successfully.
For user authority, you can enable Web Authentication function.
Before user access to internet, it will force redirect to login page first.
After entered username & password then user will able access to internet.
If you would like to auth client before access to internet, Web Authentication should enough.
Because some of OS may unable import certificate, and it may leads login page unable display successfully.
0 -
Hi @Zyxel_Stanley,sorry for this delay during covid19 and thanks for your reply !The planed PKI is based on an private 2-tire PKI that service certificates based on client (no user) certificates.The "enable Auth-client function" is ckecking the certificate from every device that would get connected befor the DHCP is serving the IP ? also for WLAN devices ?Backup of USG60W config is existingIf the Certificate is not working, the device require a factory default reset an import the backup ?Thx forwardChris0
-
Hi @ChristianG
The Auth client function will check client certificate before access to device Login page. (not DHCP)
If the client doesn’t have the certificate, he will not see the login page.(then user will unable to do user authentication)
You can enter these command by console or SSH to disable Auth-client certificate function.
Router# configure terminal
Router(config)# no ip http secure-server auth-client
Router(config)# write
0 -
and is the certificate check (Client certificate) also in the background possible ?
e.g. if client-certificate is not revoced, the device get access to the LAN-Zone ?thx and regards
Christian
0 -
Hi @ChristianG
When Web Authentication function is enabled, the device will pop up a login page to authenticate the user.If the client does not have the certificate, the pop up page will not be displayed successfully.
Then client traffic won’t pass to others subnets. (however, the broadcast traffic still will be passed through)
0
Categories
- All Categories
- 415 Beta Program
- 2.3K Nebula
- 141 Nebula Ideas
- 94 Nebula Status and Incidents
- 5.6K Security
- 218 USG FLEX H Series
- 262 Security Ideas
- 1.4K Switch
- 71 Switch Ideas
- 1K Wireless
- 39 Wireless Ideas
- 6.3K Consumer Product
- 245 Service & License
- 382 News and Release
- 81 Security Advisories
- 27 Education Center
- 8 [Campaign] Zyxel Network Detective
- 3.1K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 83 About Community
- 71 Security Highlight