Client authentication problem with ACE module

Unanswered Question
May 13th, 2009
User Badges:

Hello


I'm trying to configure the SSL client authentication in ACE module. The config looks like that


crypto authgroup CLI_AUTHENTICATION

cert CA


ssl-proxy service SSL-test

authgroup CLI_AUTHENTICATION

cert cert.pem

key key.pem


The config works ok, without the client authentication feature.


The CA cert is a CA certificate that signed the test user certificate.


When I've tried to connect via the IE, the browser is asking me which certificate I'd like to use, but when I choose the correct one, I receive the information that the session could not be established.


I've checked the logs on the ACE, but there is no information about SSL problems.


I've also tried to use "debug ssl all", but it does not return any output.


Does anybody know why it could not work?


Thanks in advance


Regards

Lucas



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
sachinga.hcl Wed, 05/13/2009 - 17:40
User Badges:
  • Silver, 250 points or more

HI Luckaszk,



Which mode you are using routed or bridged or one arm kindly tell. Also have you configure chaingroup and parameter map for the same.



As it is not clear from your config. It is not sufficient to comment on right now.


Can you send the output of the following commands to suggest more on your config


ACE-1/routed# show crypto files

ACE-1/routed# show crypto certificate all

ACE-1/routed# show crypto key all

ACE-1/routed# show crypto session

ACE-1/routed# show crypto hardware

ACE-1/routed# show service-policy detail



Kindly find below the SSL config example:


http://docwiki.cisco.com/wiki/SSL_Termination_on_the_Cisco_Application_Control_Engine_Without_an_Existing_Chained_Certificate_and_Key_in_Routed_Mode_Configuration_Example




All examples:


http://docwiki.cisco.com/wiki/Category:Data_Center_Application_Services_Configuration_Examples


Sachin Garg

lukaszkhalil Thu, 05/21/2009 - 05:19
User Badges:

Hi


I'm using the routed mode. I've configured the chaingroup as below


crypto chaingroup test

cert CA


About what parameter-map do you talking about ? I have not found any information that it is required.


The rest of the outputs are attached.





Attachment: 
litrenta Tue, 05/19/2009 - 11:51
User Badges:
  • Cisco Employee,

do "show stats crypto server" before and after clioent attempt see which counter increments. (ssl alert) Make sure clock on supervisor has correct date to avoid not before not after check of cert.

lukaszkhalil Thu, 05/21/2009 - 05:47
User Badges:

Hello


I've done the test, and it seems that I hit two alerts


SSL alert HANDSHAKE_FAILED sent:

SSL alert HANDSHAKE_FAILED rcvd:


Is there any method, except sniffing to check what is wrong with this Handshake ?


I'm attaching the whole output before and after the attempt



Attachment: 

Actions

This Discussion