Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ACE 4710 - Continuing SSL Session Setup with Client Certificate Failures

Dears,

 

I have a Cisco ACE (image: c4710ace-t1k9-mz.A5_2_1.bin) configured for SSL termination with load balancing in addition to client authentication. I have a situation that require the ACE to pass expired client certificate currently deployed on some clients.

 

which is the best option from the following to apply using the authentication-failure command in parameter map SSL configuration mode.

 

- authentication-failure ignore [Only]

OR

- authentication-failure redirect cert-expired

OR

- authentication-failure ignore with authentication-failure redirect cert-expired
 

Appreciate your help


 

7 REPLIES
Cisco Employee

Hi Hisham,If you configure

Hi Hisham,

If you configure authentication-failure ignore, ace will ignore the client cert if expired and continue with SSL termination. Redirect can be used if you want the ACE to redirect the user to a different serverfarm or a different URL.

Regards,

Kanwal

Note: Please mark answers if they are helpful.

New Member

If I configure authentication

If I configure authentication-failure ignore , is that ignore all certificate errors ?!

I have some concerns regarding security issues that if ignore option can be used does it pass expired certificates only or this will cause clients with no certificates or wrong certificates also to pass?

Cisco Employee

Hi Hisham,Yes, you are

Hi Hisham,

Yes, you are correct. It will ignore all certificate errors. But if you need to configure redirect, you would need to define a different serverfarm or URL. If this is short term fix before you update certificates, i guess authentication-failure ignore would be the best option.

Regards,

Kanwal

Note: Please mark answers if they are helpful.

New Member

I have requirement to ignore

I have requirement to ignore the  client cert expired for the clients in my networks , so I want to know the best way I can do it , as I only need to allow ACE to pass the expired cert and appropriate client certs and if ACE receives a wrong cert then it should be dropping it .

 

any advise  ??!!

Cisco Employee

Hi Hisham,At the moment there

Hi Hisham,

At the moment there is no specific command which will let the ACE ignore certificate expiration only. You can use redirect but again that will redirect the user to a different serverfarm or URL. You can try and disable client authentication itself. Due to this, ACE won't ask for client certificate during SSL handshake.

Regards,

Kanwal

Note: Please mark answers if they are helpful.

New Member

Dear Kanwalsi To pass only

Dear Kanwalsi

 

To pass only cert-expired !!! what do you think to apply the following

 

parameter-map type ssl TEST
authentication-failure ignore
authentication-failure redirect unknown-issuer url http://TEST.com/sorry.html 302
authentication-failure redirect no-client-cert url http://TESt.com/sorry.html 302
authentication-failure redirect cert-has-signature-failure url http://TESt.com/sorry.html 302
authentication-failure redirect cert-other-error url http://TESt.com/sorry.html 302
authentication-failure redirect cert-revoked url http://TESt.com/sorry.html 302
authentication-failure redirect crl-has-expired url http://TESt.com/sorry.html 302
authentication-failure redirect crl-not-available url http://TESt.com/sorry.html 302

 

 

 

 

Cisco Employee

Hi,The below option can be

Hi,

The below option can be used but it will redirect the user to the location which will specify which seems to be SORRY page.

Admin(config-parammap-ssl)# authentication-failure redirect cert-expired url xxx.com 302

Regards,

Kanwal

Note: Please mark answers if they are helpful.

 

122
Views
0
Helpful
7
Replies