Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1533
Views
0
Helpful
2
Replies

Ace - Two-way SSL configuration

csco10387876
Level 1
Level 1

‎10-07-2010 04:58 AM

Hi all,

Just a quick question :

Is it possible to match a field of the client certificate to make a Load balacing decision ?

so that if a client has a cert with a CN or C field with a specific value that is is redirected to a specific serverfarm.

Thanks,

Luc.

Labels:
0 Helpful
2 Replies 2

Pablo
Cisco Employee
Cisco Employee

‎10-07-2010 07:34 AM

Hi Luc,

Unfortunately the ACE can't do such a thing, when it comes to client authentication the client cert will be used exclusively for client validation, meaning that the cert provided by the requestor must match with the one that has been configured on the ACE, but that's it.

On ACE decryption happens before L7 load balancing so even if you take client authentication out of the picture and say that you're dealing with a SAN certificate, ACE needs to decrypt the traffic first and then match the appropiate host header in order to send the traffic to the SF in question.

From the post below you can see that Gilles states the feature is not even on the ACE roadmap, you may want to raise the flag with your sales team.

https://supportforums.cisco.com/thread/2037449

HTH.

__ __

Pablo

0 Helpful

csco10387876
Level 1
Level 1
In response to Pablo

‎10-07-2010 11:08 PM

Hi Pablo,

Thank you for your quick answer, I had tried to searh for an answer on the topic but I didn't run into Gilles's post.

As everytime I have a question regarding LB, Gilles has the answer....

Regards,

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents