TAC supports certificate-based authentication where the administrator can configure TAC sites to check for certificates in endpoints when the user accesses the site.
Certificate-based authentication is a strong way of protecting login access from malicious devices or from stolen user credentials. An intruder may try to get access to the site using stolen credentials or by man-in-the-middle attack. By enabling certificate-based authentication, users must have a valid certificate issued by a trusted certificate authority, assigned by the organization in order to access secure site. Additionally, certificate-based authentication in TAC provides two layers of protection. Previously, user credential prompt for login TAC is looking for a valid certificate in the user endpoint and if it is present in the trusted certificate authority of the client endpoint, user will be allowed to enter his credentials. Otherwise, the access will be denied.
Further, TAC not only checks the presence of a certificate to identify a safe access request, but it also looks deeply into the parameters of the certificate to authenticate the most secure way to identify safe endpoints.
To enable certificate-based authentication, you need to add it as an authentication method into the Authentication and Authorization list and to the Site as the authentication server.
Do the following to add certificate based authentication:
1. Open Authentication and Authorization Servers window under Configuration menu inTAC Configuration Manager.
2. In the Authentication and Authorization Servers window, click Add.
3. In the Configure Authentication and Authorization Servers window, in the General section, select Certificate as the type of authentication.
4. In the Name field, enter a friendly name.
5. In the Configuration section, add valid CA certificate issued by a trusted certificate authority.
a. Click Change in CA certificate field and add CA certificate.
b. Optionally, administrator can add an SSL bridging certificate where client may need to connect to backend server. This certificate must be a .pfx certificate. Click Change in the SSL Bridging cert field to add SSL certificate.
c. Configure what parameters to check to validate the certificate, such as certifica- tion revocation, check certificate usage, CRL refresh and CRL download timeout. Select appropriate settings to meet your enterprise requirement.
Next, select what to do if certificate validation failed from the On Certificate Error field. You may select just to close the connection immediately or send HTTP 403 error on the client browser.
Here, if you select “close connection” the user will not get any notification and it just fails to connect to the site; the user will not get TAC login screen. Even if you have multiple authentica- tion type selected including certificate, TAC will first check for certificate and if it is valid, only other authentication servers will be performing the authentication. This mechanism in TAC secures your corporate access in a great way.
In some cases, the certificate check could be optional and does not necessarily require a certificate check. To make certificate check an optional method select “Is optional in multi-factor authentication” checkbox. Then if you have multiple authentication servers configured including certificate, and if a client does not present with certificate, then the certificate check will be ig- nored and authentication using other respective authentication method configured.
Important: When using certificate authentication for a site that shares the same IP:Port value with another site that doesn’t use certificate-based authentication, SSL binding will be switched to server name indication mode, which might have compatibility issues with older browsers. If SNI is not desired, make sure a site with certificate-based authentication is using unique IP or Port.