Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Client authentication problem with ACE module

Hello

I'm trying to configure the SSL client authentication in ACE module. The config looks like that

crypto authgroup CLI_AUTHENTICATION

cert CA

ssl-proxy service SSL-test

authgroup CLI_AUTHENTICATION

cert cert.pem

key key.pem

The config works ok, without the client authentication feature.

The CA cert is a CA certificate that signed the test user certificate.

When I've tried to connect via the IE, the browser is asking me which certificate I'd like to use, but when I choose the correct one, I receive the information that the session could not be established.

I've checked the logs on the ACE, but there is no information about SSL problems.

I've also tried to use "debug ssl all", but it does not return any output.

Does anybody know why it could not work?

Thanks in advance

Regards

Lucas

4 REPLIES

Re: Client authentication problem with ACE module

HI Luckaszk,

Which mode you are using routed or bridged or one arm kindly tell. Also have you configure chaingroup and parameter map for the same.

As it is not clear from your config. It is not sufficient to comment on right now.

Can you send the output of the following commands to suggest more on your config

ACE-1/routed# show crypto files

ACE-1/routed# show crypto certificate all

ACE-1/routed# show crypto key all

ACE-1/routed# show crypto session

ACE-1/routed# show crypto hardware

ACE-1/routed# show service-policy detail

Kindly find below the SSL config example:

http://docwiki.cisco.com/wiki/SSL_Termination_on_the_Cisco_Application_Control_Engine_Without_an_Existing_Chained_Certificate_and_Key_in_Routed_Mode_Configuration_Example

All examples:

http://docwiki.cisco.com/wiki/Category:Data_Center_Application_Services_Configuration_Examples

Sachin Garg

New Member

Re: Client authentication problem with ACE module

Hi

I'm using the routed mode. I've configured the chaingroup as below

crypto chaingroup test

cert CA

About what parameter-map do you talking about ? I have not found any information that it is required.

The rest of the outputs are attached.

Cisco Employee

Re: Client authentication problem with ACE module

do "show stats crypto server" before and after clioent attempt see which counter increments. (ssl alert) Make sure clock on supervisor has correct date to avoid not before not after check of cert.

New Member

Re: Client authentication problem with ACE module

Hello

I've done the test, and it seems that I hit two alerts

SSL alert HANDSHAKE_FAILED sent:

SSL alert HANDSHAKE_FAILED rcvd:

Is there any method, except sniffing to check what is wrong with this Handshake ?

I'm attaching the whole output before and after the attempt

635
Views
0
Helpful
4
Replies
CreatePlease login to create content