Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
436
Views
0
Helpful
4
Replies

Redirection question

nir.fisher
Level 1
Level 1

‎11-03-2010 02:38 AM

Hi,

I want to use an ACE appliance as an ssl proxy with user certificate authentication  .

everything is configured and working fine but I want to know if I could redirect users that dont have a certificate to a certain web page

so that they would know why they cant access internal resources and know how to fix it. ?

thanks

Labels:
0 Helpful
4 Replies 4

Gilles Dufour
Cisco Employee
Cisco Employee

‎11-03-2010 06:00 AM

Scimitar1/Admin(config-parammap-ssl)# authentication-failure redirect ?
  any                         Any authentication failure
  cert-expired                Certificate expired
  cert-has-signature-failure  Certificate failed signature verification
  cert-not-yet-valid          Certificate not yet valid
  cert-other-error            Miscellaneous certificate error
  cert-revoked                Certificate revoked
  crl-has-expired             CRL has expired
  crl-not-available           No CRL available
  no-client-cert              No client certificate presented
  unknown-issuer              Unknown issuer

Configure the command above under your ssl parameter-map.

Gilles.

0 Helpful

nir.fisher
Level 1
Level 1
In response to Gilles Dufour

‎11-03-2010 10:13 AM

thanks man , but I only have 1 option after authentication-failure

and its "ignore" . I dont have all of the options you stated above.

I am using ver A3(2.6)

0 Helpful

nir.fisher
Level 1
Level 1
In response to Gilles Dufour

‎11-08-2010 12:16 PM

so I upgraded to that version and sure enough the commands are available

thanks

the redirection works excellent !!

I have a question : Is there a way to download crl manually ? I dont want to reconfigure the CRL under the ssl-proxy each time I need to download

a new published CRL .

basically what I am asking is there a way to make the ACE download CRL more frequently and not be dependent on the CA servers publish

Interval ? It seems kind of strange that I have to delete my CRL configuration and paste it back in to "make" the ACE download a new CRL.

secondly,

I have attached a screenshoot from my configuration in order to ask for a clarification .

In the picture you see that I have 3 certificates (besides the default)

one that I downloaded from the CA server and thats its own certificate

second is an identity certificate that the CA signed for a web site (10.2.2.20) (using a CSR with "my-key")

third is another identity cert for 10.2.2.21 (using a CSR with "my-key")

I dont understand why It says "False" under the CA certificate ? the key matches the certificate and evrything works fine.

is it because this is the ACE identity certificate and not an actual CA certificate (self signed or delegated) ?

Preview file
35 KB
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents