Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

asa CA server permits to bypass access via certificate

I am configuring an ASA5520, which is acting as a Certificate server.

The CA server is enabled and I have issued some client certificates.

I have enabled the following commands:


enable outside

ssl certificate-authentication interface outside port 443

When I login on the outside I am presented with a request for selecting a client certificate.

When I select this certificate I have access to the web-page of the ASA.

So far OK!

However, when I start a new session and

hit escape on the keyboard when the ASA requests a client certificate, I also get access?!?!?!?!

It bypasses the authentication!

When I enable this on the inside interface (just for testing):


enable inside

ssl cert-auth int inside port 443

In that case, when I hit escpae, I get a 401 unauthorized message.

This should also be true on the outside.

Can anyone tell me what I am doing wrong?

New Member

Re: asa CA server permits to bypass access via certificate

Do you have your tunnel group configured for Certificate Authentication?

It seems you enabled the interface Outside to ask for Certificates but probably your Tunnel Group Authentication Policy is not configured to authenticate by Certificate or both Methods (AAA and Certificate)

Check the config of your tunnel group.


CreatePlease to create content