Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1156
Views
0
Helpful
5
Replies

Authgroup certs with same Subject

Edward Clear
Level 1
Level 1

‎07-02-2013 01:03 PM

I've got an authgroup set up to authenticate Client Certs in inbound SSL connections.  Initially the authgroup had one CA certificate from each of our RSA and MSFT CAs and all was well.  Well for some reason the MSFT admin reissued his CA cert and started signing new clients.  Once they noticed the new certs didn't work through the ACE, they asked me to upload the new MSFT CA cert.   So I did and added it to the authgroup.  However new Client Certs still didn't work.  I noticed the authrgoup listed the new MSFT CA Cert last, so I temporarily removed the older CA MSFT CA Cert from the authgroup and then the new Client certs validate.   But if I put the older MSFT CA Cert back in the authgroup (as it's still required) it goes back ahead of the newer one and the new Client Certs start failing again.   So it seems like the fact that the two MSFT CA Certs have the same Subject might be fouling up the authentication, with the search through the authgroup possibly terminating at the first Subject match.

Anyone know if this is the case and if there's a way around it?

I'm running A2(3.6a) on an ACE20 in a 6500 whose sup is running 12.2(33) SXI11.  

1 person had this problem
Labels:
0 Helpful
5 Replies 5

jozef.mozolik
Level 1
Level 1

‎04-10-2014 02:38 PM

Hi ,

we have the same problem with ACE30 A5(2.1e). Did you find a solution for your problem? Thanks for any ideas.

 

thanks

jm.,

0 Helpful

Edward Clear
Level 1
Level 1
In response to jozef.mozolik

‎04-11-2014 06:42 AM

I set up a second SSL proxy with a different authgroup and a different port.  I put the two confilicting CA certs in the separate authgroups. When the CA check fails in the first group, the user is redirected to the second proxy.  This also lets you get around the limit of 4 certs in an authgroup, which is useful in a development environment with many CAs.

0 Helpful

Kanwaljeet Singh
Cisco Employee
Cisco Employee
In response to Edward Clear

‎04-11-2014 05:32 PM

Hi J,

Can you share the configuration. It could be useful example for others to follow.

Thanx

Kanwal

0 Helpful

jozef.mozolik
Level 1
Level 1
In response to Edward Clear

‎04-14-2014 12:24 AM

Hi All,

 

thank you for the quick reply, we have implemented exactly the same workaround finally. authentication-failure + redirecty to second proxy/port with different auth group configured.

 

regards

jm.,

 

0 Helpful

Kanwaljeet Singh
Cisco Employee
Cisco Employee
In response to jozef.mozolik

‎04-11-2014 05:32 PM

Hi,

You may be interested in this: CSCtg00135

Regards,

Kanwal

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents