Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
921
Views
0
Helpful
4
Replies

Client authentication problem with ACE module

lukaszkhalil
Level 1
Level 1

‎05-13-2009 12:48 PM

Hello

I'm trying to configure the SSL client authentication in ACE module. The config looks like that

crypto authgroup CLI_AUTHENTICATION

cert CA

ssl-proxy service SSL-test

authgroup CLI_AUTHENTICATION

cert cert.pem

key key.pem

The config works ok, without the client authentication feature.

The CA cert is a CA certificate that signed the test user certificate.

When I've tried to connect via the IE, the browser is asking me which certificate I'd like to use, but when I choose the correct one, I receive the information that the session could not be established.

I've checked the logs on the ACE, but there is no information about SSL problems.

I've also tried to use "debug ssl all", but it does not return any output.

Does anybody know why it could not work?

Thanks in advance

Regards

Lucas

Labels:
0 Helpful
4 Replies 4

sachinga.hcl
Level 4
Level 4

‎05-13-2009 05:40 PM

HI Luckaszk,

Which mode you are using routed or bridged or one arm kindly tell. Also have you configure chaingroup and parameter map for the same.

As it is not clear from your config. It is not sufficient to comment on right now.

Can you send the output of the following commands to suggest more on your config

ACE-1/routed# show crypto files

ACE-1/routed# show crypto certificate all

ACE-1/routed# show crypto key all

ACE-1/routed# show crypto session

ACE-1/routed# show crypto hardware

ACE-1/routed# show service-policy detail

Kindly find below the SSL config example:

http://docwiki.cisco.com/wiki/SSL_Termination_on_the_Cisco_Application_Control_Engine_Without_an_Existing_Chained_Certificate_and_Key_in_Routed_Mode_Configuration_Example

All examples:

http://docwiki.cisco.com/wiki/Category:Data_Center_Application_Services_Configuration_Examples

Sachin Garg

0 Helpful

lukaszkhalil
Level 1
Level 1
In response to sachinga.hcl

‎05-21-2009 05:19 AM

Hi

I'm using the routed mode. I've configured the chaingroup as below

crypto chaingroup test

cert CA

About what parameter-map do you talking about ? I have not found any information that it is required.

The rest of the outputs are attached.

Preview file
6 KB
0 Helpful

litrenta
Level 3
Level 3

‎05-19-2009 11:51 AM

do "show stats crypto server" before and after clioent attempt see which counter increments. (ssl alert) Make sure clock on supervisor has correct date to avoid not before not after check of cert.

0 Helpful

lukaszkhalil
Level 1
Level 1
In response to litrenta

‎05-21-2009 05:47 AM

Hello

I've done the test, and it seems that I hit two alerts

SSL alert HANDSHAKE_FAILED sent:

SSL alert HANDSHAKE_FAILED rcvd:

Is there any method, except sniffing to check what is wrong with this Handshake ?

I'm attaching the whole output before and after the attempt

Preview file
25 KB
0 Helpful
Customers Also Viewed These Support Documents