Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

asa CA server permits to bypass access via certificate

I am configuring an ASA5520, which is acting as a Certificate server.

The CA server is enabled and I have issued some client certificates.

I have enabled the following commands:

webvpn

enable outside

ssl certificate-authentication interface outside port 443

When I login on the outside I am presented with a request for selecting a client certificate.

When I select this certificate I have access to the web-page of the ASA.

So far OK!

However, when I start a new session and

hit escape on the keyboard when the ASA requests a client certificate, I also get access?!?!?!?!

It bypasses the authentication!

When I enable this on the inside interface (just for testing):

webvpn

enable inside

ssl cert-auth int inside port 443

In that case, when I hit escpae, I get a 401 unauthorized message.

This should also be true on the outside.

Can anyone tell me what I am doing wrong?

1 REPLY
New Member

Re: asa CA server permits to bypass access via certificate

Do you have your tunnel group configured for Certificate Authentication?

It seems you enabled the interface Outside to ask for Certificates but probably your Tunnel Group Authentication Policy is not configured to authenticate by Certificate or both Methods (AAA and Certificate)

Check the config of your tunnel group.

Cheers

263
Views
0
Helpful
1
Replies
CreatePlease to create content