I have a Cisco ACE (image: c4710ace-t1k9-mz.A5_2_1.bin) configured for SSL termination with load balancing in addition to client authentication. I have a situation that require the ACE to pass expired client certificate currently deployed on some clients.
which is the best option from the following to apply using the authentication-failure command in parameter map SSL configuration mode.
- authentication-failure ignore [Only]
- authentication-failure redirect cert-expired
- authentication-failure ignore with authentication-failure redirect cert-expired
If you configure authentication-failure ignore, ace will ignore the client cert if expired and continue with SSL termination. Redirect can be used if you want the ACE to redirect the user to a different serverfarm or a different URL.
If I configure authentication-failure ignore , is that ignore all certificate errors ?!
I have some concerns regarding security issues that if ignore option can be used does it pass expired certificates only or this will cause clients with no certificates or wrong certificates also to pass?
Yes, you are correct. It will ignore all certificate errors. But if you need to configure redirect, you would need to define a different serverfarm or URL. If this is short term fix before you update certificates, i guess authentication-failure ignore would be the best option.
I have requirement to ignore the client cert expired for the clients in my networks , so I want to know the best way I can do it , as I only need to allow ACE to pass the expired cert and appropriate client certs and if ACE receives a wrong cert then it should be dropping it .
At the moment there is no specific command which will let the ACE ignore certificate expiration only. You can use redirect but again that will redirect the user to a different serverfarm or URL. You can try and disable client authentication itself. Due to this, ACE won't ask for client certificate during SSL handshake.
Introduction This article will help you understand the steps on how to
download the UCS licenses from the Cisco Systems website and then
installing it on the UCS. The redacted (blue lines) just covers up
certain numbers for privacy please do not take them...
Introduction This article will help you understand and educate the
customer on how to clear their "expired licenses"
(license-graceperiod-expired) from their UCS-M. If a customer just
purchased a license and needs a step by step guide on how to download
With Vignesh R. P.Welcome to the Cisco Support Community Ask the Expert
conversation.This is an opportunity to learn and ask questions of Cisco
expert Vignesh R. P. about the Cisco® Nexus 7000 Series Switches and
support for the Cisco NX-OS Software platf...