Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ACE SSL terminator user authentication

Hi,

We have ACE4710 and I configured ACE for load balancing and SSL terminator with users authentication. All users authenticate when browsing https://x.x.x.x url and all work well. But I want users to authenticate with SSL certificate when browsing only special url on my server- for example when user browse url https://x.x.x.x/Test no need to be authenticated, but when browse url https://x.x.x.x/testSSL/ need to authenticate.

Can you post any example and help me to do this.

Thanks in advance.

2 REPLIES
New Member

Re: ACE SSL terminator user authentication

Does anyone have a idea. This is my configuration:

crypto authgroup AUTH_CERT_1

cert CARoot.crt

probe icmp PING_TEST

interval 15

passdetect interval 60

parameter-map type ssl SSL_PARAMETER_MAP

authentication-failure ignore

rserver host RS_web_1

description ### WEB SERVER 1 ###

ip address 192.168.2.103

inservice

serverfarm host WEB_SERVERFARM

probe PING_TEST

rserver RS_web_1 80

inservice

ssl-proxy service SSL-WWWSERVICE-SERVER

key ACEkey

cert ACEcer

authgroup AUTH_CERT_1

ssl advanced-options SSL_PARAMETER_MAP

ssl-proxy service SSL-WWWSERVICE-SERVER_no_auth

key ACEkey

cert ACEcer

ssl advanced-options SSL_PARAMETER_MAP

class-map match-all L4_VIP_ADDRESS_WEB

2 match virtual-address 192.168.1.103 any

class-map match-all L4_VIP_ADDRESS_WEB_no_auth

2 match virtual-address 172.16.1.103 any

class-map type http loadbalance match-all L7CLASS-Test

2 match http url /Test/*

class-map type http loadbalance match-all L7CLASS-TestSSL

2 match http url /TestSSL/*

policy-map type loadbalance first-match L7_POLICY_WEB_ssl_auth

class L7CLASS-Test

serverfarm WEB_SERVERFARM

policy-map type loadbalance first-match L7_POLICY_WEB_no_ssl_auth

class L7CLASS-TestSSL

serverfarm WEB_SERVERFARM

policy-map multi-match VIP_POLICY

class L4_VIP_ADDRESS_WEB

loadbalance vip inservice

loadbalance policy L7_POLICY_WEB_ssl_auth

ssl-proxy server SSL-WWWSERVICE-SERVER

class L4_VIP_ADDRESS_WEB_no_auth

loadbalance vip inservice

loadbalance policy L7_POLICY_WEB_no_ssl_auth

ssl-proxy server SSL-WWWSERVICE-SERVER_no_auth

New Member

Re: ACE SSL terminator user authentication

I saw that "policy-map multi-match VIP_POLICY" match only first L4 class, and no second. Is it possible match two policies with "or" rule

172
Views
0
Helpful
2
Replies