Authentication items perform authentication or authentication-related functions, such as:
Verify credentials (or a PIN or a token)
Inspect SSL certificates
Check SSL certificate revocation status
Verify the result of passwordless authentication
Perform accounting, and so on.
An authentication item usually follows a logon item or another authentication item in an access policy. An access policy can contain any number of authentication items.
An administrator that configures authentication items can make these choices:
Specify an AAA server (or pool in cases where high availability is supported) against which to authenticate. Access Policy Manager (APM) supports many types of AAA servers.
Inspect the SSL certificate presented during the initial SSL handshake, or specify on-demand certificate authentication (to re-negotiate the SSL connection). On-demand authentication is not supported in every type of access configuration.
Select a Certificate Revocation Location (CRL) or Online Certificate Status Protocol (OCSP) responder for verifying revocation status.
Other configuration objects must be created before configuring an authentication item or before a particular type of authentication is fully configured and working.