Hi Hisham,If you configure

hisham.khreisat · ‎10-15-2014

Dears,

I have a Cisco ACE (image: c4710ace-t1k9-mz.A5_2_1.bin) configured for SSL termination with load balancing in addition to client authentication. I have a situation that require the ACE to pass expired client certificate currently deployed on some clients.

which is the best option from the following to apply using the authentication-failure command in parameter map SSL configuration mode.

- authentication-failure ignore [Only]

OR

- authentication-failure redirect cert-expired

OR

- authentication-failure ignore with authentication-failure redirect cert-expired

Appreciate your help

Kanwaljeet Singh · ‎10-15-2014

Hi Hisham,

If you configure authentication-failure ignore, ace will ignore the client cert if expired and continue with SSL termination. Redirect can be used if you want the ACE to redirect the user to a different serverfarm or a different URL.

Regards,

Kanwal

Note: Please mark answers if they are helpful.

hisham.khreisat · ‎10-15-2014

If I configure authentication-failure ignore , is that ignore all certificate errors ?!

I have some concerns regarding security issues that if ignore option can be used does it pass expired certificates only or this will cause clients with no certificates or wrong certificates also to pass?

Kanwaljeet Singh · ‎10-16-2014

Hi Hisham,

Yes, you are correct. It will ignore all certificate errors. But if you need to configure redirect, you would need to define a different serverfarm or URL. If this is short term fix before you update certificates, i guess authentication-failure ignore would be the best option.

Regards,

Kanwal

Note: Please mark answers if they are helpful.

hisham.khreisat · ‎10-17-2014

I have requirement to ignore the client cert expired for the clients in my networks , so I want to know the best way I can do it , as I only need to allow ACE to pass the expired cert and appropriate client certs and if ACE receives a wrong cert then it should be dropping it .

any advise ??!!

Kanwaljeet Singh · ‎10-20-2014

Hi Hisham,

At the moment there is no specific command which will let the ACE ignore certificate expiration only. You can use redirect but again that will redirect the user to a different serverfarm or URL. You can try and disable client authentication itself. Due to this, ACE won't ask for client certificate during SSL handshake.

Regards,

Kanwal

Note: Please mark answers if they are helpful.

hisham.khreisat · ‎10-31-2014

Dear Kanwalsi

To pass only cert-expired !!! what do you think to apply the following

parameter-map type ssl TEST
authentication-failure ignore
authentication-failure redirect unknown-issuer url http://TEST.com/sorry.html 302
authentication-failure redirect no-client-cert url http://TESt.com/sorry.html 302
authentication-failure redirect cert-has-signature-failure url http://TESt.com/sorry.html 302
authentication-failure redirect cert-other-error url http://TESt.com/sorry.html 302
authentication-failure redirect cert-revoked url http://TESt.com/sorry.html 302
authentication-failure redirect crl-has-expired url http://TESt.com/sorry.html 302
authentication-failure redirect crl-not-available url http://TESt.com/sorry.html 302

Kanwaljeet Singh · ‎11-02-2014

Hi,

The below option can be used but it will redirect the user to the location which will specify which seems to be SORRY page.

Admin(config-parammap-ssl)# authentication-failure redirect cert-expired url xxx.com 302

Regards,

Kanwal

Note: Please mark answers if they are helpful.

ACE 4710 - Continuing SSL Session Setup with Client Certificate Failures