ACE SSL terminator user authentication

Unanswered Question
Jul 21st, 2009
User Badges:

Hi,

We have ACE4710 and I configured ACE for load balancing and SSL terminator with users authentication. All users authenticate when browsing https://x.x.x.x url and all work well. But I want users to authenticate with SSL certificate when browsing only special url on my server- for example when user browse url https://x.x.x.x/Test no need to be authenticated, but when browse url https://x.x.x.x/testSSL/ need to authenticate.

Can you post any example and help me to do this.

Thanks in advance.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
vaba Thu, 07/23/2009 - 01:46
User Badges:

Does anyone have a idea. This is my configuration:

crypto authgroup AUTH_CERT_1

cert CARoot.crt



probe icmp PING_TEST

interval 15

passdetect interval 60


parameter-map type ssl SSL_PARAMETER_MAP

authentication-failure ignore


rserver host RS_web_1

description ### WEB SERVER 1 ###

ip address 192.168.2.103

inservice


serverfarm host WEB_SERVERFARM

probe PING_TEST

rserver RS_web_1 80

inservice



ssl-proxy service SSL-WWWSERVICE-SERVER

key ACEkey

cert ACEcer

authgroup AUTH_CERT_1

ssl advanced-options SSL_PARAMETER_MAP


ssl-proxy service SSL-WWWSERVICE-SERVER_no_auth

key ACEkey

cert ACEcer

ssl advanced-options SSL_PARAMETER_MAP

class-map match-all L4_VIP_ADDRESS_WEB

2 match virtual-address 192.168.1.103 any

class-map match-all L4_VIP_ADDRESS_WEB_no_auth

2 match virtual-address 172.16.1.103 any


class-map type http loadbalance match-all L7CLASS-Test

2 match http url /Test/*

class-map type http loadbalance match-all L7CLASS-TestSSL

2 match http url /TestSSL/*

policy-map type loadbalance first-match L7_POLICY_WEB_ssl_auth

class L7CLASS-Test

serverfarm WEB_SERVERFARM

policy-map type loadbalance first-match L7_POLICY_WEB_no_ssl_auth

class L7CLASS-TestSSL

serverfarm WEB_SERVERFARM



policy-map multi-match VIP_POLICY

class L4_VIP_ADDRESS_WEB

loadbalance vip inservice

loadbalance policy L7_POLICY_WEB_ssl_auth

ssl-proxy server SSL-WWWSERVICE-SERVER

class L4_VIP_ADDRESS_WEB_no_auth

loadbalance vip inservice

loadbalance policy L7_POLICY_WEB_no_ssl_auth

ssl-proxy server SSL-WWWSERVICE-SERVER_no_auth


vaba Mon, 08/10/2009 - 12:19
User Badges:

I saw that "policy-map multi-match VIP_POLICY" match only first L4 class, and no second. Is it possible match two policies with "or" rule

Actions

This Discussion