topic asa CA server permits to bypass access via certificate in Network Security https://community.cisco.com/t5/network-security/asa-ca-server-permits-to-bypass-access-via-certificate/m-p/900004#M954529 <P>I am configuring an ASA5520, which is acting as a Certificate server.</P><P>The CA server is enabled and I have issued some client certificates.</P><P>I have enabled the following commands:</P><P>webvpn</P><P> enable outside</P><P> ssl certificate-authentication interface outside port 443</P><P></P><P>When I login on the outside I am presented with a request for selecting a client certificate.</P><P>When I select this certificate I have access to the web-page of the ASA.</P><P>So far OK!</P><P></P><P>However, when I start a new session and </P><P>hit escape on the keyboard when the ASA requests a client certificate, I also get access?!?!?!?!</P><P>It bypasses the authentication!</P><P></P><P>When I enable this on the inside interface (just for testing):</P><P>webvpn</P><P> enable inside</P><P> ssl cert-auth int inside port 443</P><P></P><P>In that case, when I hit escpae, I get a 401 unauthorized message.</P><P>This should also be true on the outside.</P><P></P><P>Can anyone tell me what I am doing wrong?</P> Mon, 11 Mar 2019 12:06:12 GMT pvanliere 2019-03-11T12:06:12Z asa CA server permits to bypass access via certificate https://community.cisco.com/t5/network-security/asa-ca-server-permits-to-bypass-access-via-certificate/m-p/900004#M954529 <P>I am configuring an ASA5520, which is acting as a Certificate server.</P><P>The CA server is enabled and I have issued some client certificates.</P><P>I have enabled the following commands:</P><P>webvpn</P><P> enable outside</P><P> ssl certificate-authentication interface outside port 443</P><P></P><P>When I login on the outside I am presented with a request for selecting a client certificate.</P><P>When I select this certificate I have access to the web-page of the ASA.</P><P>So far OK!</P><P></P><P>However, when I start a new session and </P><P>hit escape on the keyboard when the ASA requests a client certificate, I also get access?!?!?!?!</P><P>It bypasses the authentication!</P><P></P><P>When I enable this on the inside interface (just for testing):</P><P>webvpn</P><P> enable inside</P><P> ssl cert-auth int inside port 443</P><P></P><P>In that case, when I hit escpae, I get a 401 unauthorized message.</P><P>This should also be true on the outside.</P><P></P><P>Can anyone tell me what I am doing wrong?</P> Mon, 11 Mar 2019 12:06:12 GMT https://community.cisco.com/t5/network-security/asa-ca-server-permits-to-bypass-access-via-certificate/m-p/900004#M954529 pvanliere 2019-03-11T12:06:12Z Re: asa CA server permits to bypass access via certificate https://community.cisco.com/t5/network-security/asa-ca-server-permits-to-bypass-access-via-certificate/m-p/900005#M954531 <HTML><HEAD></HEAD><BODY><P>Do you have your tunnel group configured for Certificate Authentication?</P><P>It seems you enabled the interface Outside to ask for Certificates but probably your Tunnel Group Authentication Policy is not configured to authenticate by Certificate or both Methods (AAA and Certificate)</P><P>Check the config of your tunnel group.</P><P></P><P>Cheers</P></BODY></HTML> Fri, 29 Feb 2008 12:06:58 GMT https://community.cisco.com/t5/network-security/asa-ca-server-permits-to-bypass-access-via-certificate/m-p/900005#M954531 paulomv 2008-02-29T12:06:58Z