Defining Client Certificate Criteria

To specify criteria that client certificates must meet, use a Boolean expression. To belong to a group, the user must meet the certificate criteria in addition to passing all other authentication rules that are configured for that group. For example, the following criteria requires that the subject field of the client certificate provided by a user has the Organization Unit (OU) set to Accounting and the Common Name (CN) attribute set to a value matching the user's local user name on the Access Gateway.

client_cert_end_user_subject_organizational_unit="Accounting" and

Valid operators for the client certificate are as follows:

    and logical AND

    = equality test
    Valid constants for the criteria are:
    true logical TRUE
    Valid variables for the criteria are:
    username local user name on the Access Gateway
    client_cert_end_user_subject_common_name CN attribute of the Subject of the client certificate
    client_cert_end_user_subject_organizational_unit OU attribute of the Subject of the client certificate
    client_cert_end_user_subject_organization O attribute of the Subject of the client certificate
    Values for the client certificate criteria require quotation marks around them to work. Correct and incorrect examples are:

    The Boolean expression
    client_cert_end_user_subject_common_name="" is valid and it works.

    The Boolean expression is not valid and does not work

To specify client certificate configuration:

    1. On the Access Policy Manager tab, right-click a group that is not the default group and click Properties.

    Note: Client certificate configuration is not available for the default user group

    2. On the Client Certificate tab, under Client certificate criteria expression, type the certificate information. Click OK.