Use device certificates for authentication
NetScaler Gateway supports the device certificate check that enables you to bind the device identity to a certificate’s private key. The device certificate check can be configured as part of classic or advanced Endpoint Analysis (EPA) policies. In classic EPA policies, the device certificate can be configured only for preauthentication EPA.
NetScaler Gateway verifies the device certificate before the endpoint analysis scan runs or before the logon page appears. If you configure endpoint analysis, the endpoint scan runs to verify the user device. When the device passes the scan and after NetScaler Gateway verifies the device certificate, users can then log on to the NetScaler Gateway.
Important:
- By default, Windows mandates admin privileges for accessing device certificates.
- To add a device certificate check for non-admin users, you must install the VPN plug-in. The VPN plug-in version must be the same version as the EPA plug-in on the device.
- You can add multiple CA certificates to the gateway and validate the device certificate.
- If you install two or more device certificates on NetScaler Gateway, users must select the correct certificate when they start to log on to NetScaler Gateway or before the endpoint analysis scan runs.
- When you create the device certificate, it must be an X.509 certificate.
- If you have a device certificate issued by an intermediate CA, then both intermediate and root CA certificates must be bound.
- The EPA client needs the user to have local administrator rights to be able to access the machine certificate store. This is rarely the case, so a workaround is to install the full NetScaler Gateway plug-in which can access the local store.
For more information about creating device certificates, see the following:
- Network Device Enrollment Service (NDES) in Active Directory Certificate Services (AD CS) on the Microsoft website.
- How to request a certificate from a Microsoft Certificate Authority using DCE/RPC and the Active Directory Certificate profile payload on the Apple support website.
- iPad / iPhone Certificate Issuance on the Ask the Directory Services Team Microsoft support blog.
- Setting Up Network Device Enrollment Service on the Windows IT Pro website.
- Step-by-Step Example Deployment of the PKI Certificates for Configuration Manager: Windows Server 2008 Certification Authority on the Microsoft System Center website.
Steps to configure device certificates
To configure a device certificate, you must complete the following steps:
-
Install the device certificate issuer’s certificate authority certificate on NetScaler Gateway. For details, see Installing the Signed Certificate on NetScaler Gateway.
-
Bind the device certificate issuer’s certificate authority certificate to the NetScaler Gateway virtual server and enable OCSP check. For details, see Installing the Signed Certificate on NetScaler Gateway.
-
Create and bind OCSP (responder) on device certificate issuer’s certificate authority certificate. For details, see Monitor certificate status with OCSP.
Enable device certificate check on the virtual server and add device certificate issuer’s certificate authority certificate to the device certificate checklist. For details, see Enable device certificate check on a virtual server for classic EPA policy.
Complete the client-side configuration and verification of device certificate on the Windows machine. For details, see Verification of device certificate on a Windows machine.
Note:
All the clients intended to avail the device certificate EPA check must have the device certificate installed in the system certificate store of the machine.
Enable device certificate check on a virtual server for classic EPA policy
After you create the device certificate, you install the certificate on NetScaler Gateway by using the procedure for Importing and Installing an Existing Certificate to NetScaler Gateway.
- On the Configuration tab, navigate to NetScaler Gateway > Virtual Servers.
- On the NetScaler Gateway Virtual Servers page, select an existing virtual server and click Edit.
- On the VPN Virtual Servers page, under Basic Settings section, click Edit.
- Clear the Enable Authentication box to disable authentication.
- Select the Enable Device Certificate box to enable device certificate
- Click Add to add an available device certificate issuer’s CA certificate name to the list.
- For binding a CA certificate to the virtual server, click CA certificate under the CA for Device Certificate section, click Add, select the certificate, and then click +.
Note:
For information on enabling and binding device certificates on a virtual server for advanced EPA policy, see Device Certificate in nFactor as an EPA component.
Verification of device certificate on a Windows machine
-
Open a browser and access the NetScaler Gateway FQDN.
-
Allow the Citrix End Point Analysis (EPA) client to run. If not already installed then install EPA.
Citrix EPA runs and validates the Device Certificate and redirects to the authentication page if the Device Certificate EPA check passes, else it redirects you to the EPA error page. In case you have other EPA checks, then the EPA scan results depend on the configured EPA checks.
For further debugging on the client, examine the following EPA logs on the client: C:\Users<User name>\AppData\Local\Citrix\AGEE\nsepa.txt
Note:
Device certificate verification with CRL is not supported.