Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Client Authentication & Normal SSL Using Same IP on Proxy List

I am using CSS11501's and need to have the option of client authentication or normal client server SSL using the same IP. I cannot see how to do this using just one proxy-list.

The following is an example of what I would like.

https://sslconnection.com = ip address 10.10.10.10 on the ssl-proxy-list and uses normal client server ssl.

https://sslconnection.com/clientauth = ip address 10.10.10.10 and invokes client authentication.

Is there any way to get the proxy list to pick up the url extension and aply the client authentication rules?

I know this would work using 2 proxy lists in say a 11503 or my other option would be to get the web server to redirect to another VIP when client authentication is required.

However if at all possible i would like to use the same IP for both methods.

Any ideas????

1 REPLY
Cisco Employee

Re: Client Authentication & Normal SSL Using Same IP on Proxy Li

to see the url, the CSS needs to decrypt the traffic, and to decrypt the traffic the css needs to perform ssl negotiation.

Therefore this is not possible to keep the same proxy-server.

What you can is use a normal ssl service to decrypt the traffic and if there is a match with /clientauth url send a redirect to the same vip ip but a different port ie: 8443 instead of 443.

You can then create a 2nd ssl-proxy server in your proxy list and this one will do client authentication.

Gilles.

170
Views
0
Helpful
1
Replies
CreatePlease login to create content