asa CA server permits to bypass access via certificate

Unanswered Question
Feb 21st, 2008

I am configuring an ASA5520, which is acting as a Certificate server.

The CA server is enabled and I have issued some client certificates.

I have enabled the following commands:


enable outside

ssl certificate-authentication interface outside port 443

When I login on the outside I am presented with a request for selecting a client certificate.

When I select this certificate I have access to the web-page of the ASA.

So far OK!

However, when I start a new session and

hit escape on the keyboard when the ASA requests a client certificate, I also get access?!?!?!?!

It bypasses the authentication!

When I enable this on the inside interface (just for testing):


enable inside

ssl cert-auth int inside port 443

In that case, when I hit escpae, I get a 401 unauthorized message.

This should also be true on the outside.

Can anyone tell me what I am doing wrong?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
paulomv Fri, 02/29/2008 - 04:06

Do you have your tunnel group configured for Certificate Authentication?

It seems you enabled the interface Outside to ask for Certificates but probably your Tunnel Group Authentication Policy is not configured to authenticate by Certificate or both Methods (AAA and Certificate)

Check the config of your tunnel group.



This Discussion