Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
786
Views
0
Helpful
7
Replies

ACE 4710 - Continuing SSL Session Setup with Client Certificate Failures

hisham.khreisat
Level 1
Level 1

‎10-15-2014 02:40 PM

Dears,

 

I have a Cisco ACE (image: c4710ace-t1k9-mz.A5_2_1.bin) configured for SSL termination with load balancing in addition to client authentication. I have a situation that require the ACE to pass expired client certificate currently deployed on some clients.

 

which is the best option from the following to apply using the authentication-failure command in parameter map SSL configuration mode.

 

- authentication-failure ignore [Only]

OR

- authentication-failure redirect cert-expired

OR

- authentication-failure ignore with authentication-failure redirect cert-expired
 

Appreciate your help


 

Labels:
0 Helpful
7 Replies 7

Kanwaljeet Singh
Cisco Employee
Cisco Employee

‎10-15-2014 05:45 PM

Hi Hisham,

If you configure authentication-failure ignore, ace will ignore the client cert if expired and continue with SSL termination. Redirect can be used if you want the ACE to redirect the user to a different serverfarm or a different URL.

Regards,

Kanwal

Note: Please mark answers if they are helpful.

0 Helpful

hisham.khreisat
Level 1
Level 1
In response to Kanwaljeet Singh

‎10-15-2014 11:40 PM

If I configure authentication-failure ignore , is that ignore all certificate errors ?!

I have some concerns regarding security issues that if ignore option can be used does it pass expired certificates only or this will cause clients with no certificates or wrong certificates also to pass?

0 Helpful

Kanwaljeet Singh
Cisco Employee
Cisco Employee
In response to hisham.khreisat

‎10-16-2014 05:57 AM

Hi Hisham,

Yes, you are correct. It will ignore all certificate errors. But if you need to configure redirect, you would need to define a different serverfarm or URL. If this is short term fix before you update certificates, i guess authentication-failure ignore would be the best option.

Regards,

Kanwal

Note: Please mark answers if they are helpful.

0 Helpful

hisham.khreisat
Level 1
Level 1
In response to Kanwaljeet Singh

‎10-17-2014 01:08 PM

I have requirement to ignore the  client cert expired for the clients in my networks , so I want to know the best way I can do it , as I only need to allow ACE to pass the expired cert and appropriate client certs and if ACE receives a wrong cert then it should be dropping it .

 

any advise  ??!!

0 Helpful

Kanwaljeet Singh
Cisco Employee
Cisco Employee
In response to hisham.khreisat

‎10-20-2014 05:39 AM

Hi Hisham,

At the moment there is no specific command which will let the ACE ignore certificate expiration only. You can use redirect but again that will redirect the user to a different serverfarm or URL. You can try and disable client authentication itself. Due to this, ACE won't ask for client certificate during SSL handshake.

Regards,

Kanwal

Note: Please mark answers if they are helpful.

0 Helpful

hisham.khreisat
Level 1
Level 1
In response to Kanwaljeet Singh

‎10-31-2014 04:48 PM

Dear Kanwalsi

 

To pass only cert-expired !!! what do you think to apply the following

 

parameter-map type ssl TEST
authentication-failure ignore
authentication-failure redirect unknown-issuer url http://TEST.com/sorry.html 302
authentication-failure redirect no-client-cert url http://TESt.com/sorry.html 302
authentication-failure redirect cert-has-signature-failure url http://TESt.com/sorry.html 302
authentication-failure redirect cert-other-error url http://TESt.com/sorry.html 302
authentication-failure redirect cert-revoked url http://TESt.com/sorry.html 302
authentication-failure redirect crl-has-expired url http://TESt.com/sorry.html 302
authentication-failure redirect crl-not-available url http://TESt.com/sorry.html 302

 

 

 

 

0 Helpful

Kanwaljeet Singh
Cisco Employee
Cisco Employee
In response to hisham.khreisat

‎11-02-2014 03:19 PM

Hi,

The below option can be used but it will redirect the user to the location which will specify which seems to be SORRY page.

Admin(config-parammap-ssl)# authentication-failure redirect cert-expired url xxx.com 302

Regards,

Kanwal

Note: Please mark answers if they are helpful.

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents