topic Re: Redirection question in Application Networking

Redirection question

nir.fisher — Wed, 03 Nov 2010 09:38:46 GMT

Hi,

I want to use an ACE appliance as an ssl proxy with user certificate authentication .

everything is configured and working fine but I want to know if I could redirect users that dont have a certificate to a certain web page

so that they would know why they cant access internal resources and know how to fix it. ?

thanks

Re: Redirection question

Gilles Dufour — Wed, 03 Nov 2010 13:00:38 GMT

Scimitar1/Admin(config-parammap-ssl)# authentication-failure redirect ?
any                         Any authentication failure
cert-expired                Certificate expired
cert-has-signature-failure Certificate failed signature verification
cert-not-yet-valid          Certificate not yet valid
cert-other-error            Miscellaneous certificate error
cert-revoked                Certificate revoked
crl-has-expired             CRL has expired
crl-not-available           No CRL available
no-client-cert              No client certificate presented
unknown-issuer              Unknown issuer

Configure the command above under your ssl parameter-map.

Gilles.

Re: Redirection question

nir.fisher — Wed, 03 Nov 2010 17:13:24 GMT

thanks man , but I only have 1 option after authentication-failure

and its "ignore" . I dont have all of the options you stated above.

I am using ver A3(2.6)

Re: Redirection question

Gilles Dufour — Thu, 04 Nov 2010 08:44:16 GMT

http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA4_1_0/configuration/ssl/guide/terminat.html

This is indeed a new feature of A4(1.0)

Re: Redirection question

nir.fisher — Mon, 08 Nov 2010 20:16:46 GMT

so I upgraded to that version and sure enough the commands are available

thanks

the redirection works excellent !!

I have a question : Is there a way to download crl manually ? I dont want to reconfigure the CRL under the ssl-proxy each time I need to download

a new published CRL .

basically what I am asking is there a way to make the ACE download CRL more frequently and not be dependent on the CA servers publish

Interval ? It seems kind of strange that I have to delete my CRL configuration and paste it back in to "make" the ACE download a new CRL.

secondly,

I have attached a screenshoot from my configuration in order to ask for a clarification .

In the picture you see that I have 3 certificates (besides the default)

one that I downloaded from the CA server and thats its own certificate

second is an identity certificate that the CA signed for a web site (10.2.2.20) (using a CSR with "my-key")

third is another identity cert for 10.2.2.21 (using a CSR with "my-key")

I dont understand why It says "False" under the CA certificate ? the key matches the certificate and evrything works fine.

is it because this is the ACE identity certificate and not an actual CA certificate (self signed or delegated) ?