11-03-2010 02:38 AM
Hi,
I want to use an ACE appliance as an ssl proxy with user certificate authentication .
everything is configured and working fine but I want to know if I could redirect users that dont have a certificate to a certain web page
so that they would know why they cant access internal resources and know how to fix it. ?
thanks
11-03-2010 06:00 AM
Scimitar1/Admin(config-parammap-ssl)# authentication-failure redirect ?
any Any authentication failure
cert-expired Certificate expired
cert-has-signature-failure Certificate failed signature verification
cert-not-yet-valid Certificate not yet valid
cert-other-error Miscellaneous certificate error
cert-revoked Certificate revoked
crl-has-expired CRL has expired
crl-not-available No CRL available
no-client-cert No client certificate presented
unknown-issuer Unknown issuer
Configure the command above under your ssl parameter-map.
Gilles.
11-03-2010 10:13 AM
thanks man , but I only have 1 option after authentication-failure
and its "ignore" . I dont have all of the options you stated above.
I am using ver A3(2.6)
11-04-2010 01:44 AM
This is indeed a new feature of A4(1.0)
G.
11-08-2010 12:16 PM
so I upgraded to that version and sure enough the commands are available
thanks
the redirection works excellent !!
I have a question : Is there a way to download crl manually ? I dont want to reconfigure the CRL under the ssl-proxy each time I need to download
a new published CRL .
basically what I am asking is there a way to make the ACE download CRL more frequently and not be dependent on the CA servers publish
Interval ? It seems kind of strange that I have to delete my CRL configuration and paste it back in to "make" the ACE download a new CRL.
secondly,
I have attached a screenshoot from my configuration in order to ask for a clarification .
In the picture you see that I have 3 certificates (besides the default)
one that I downloaded from the CA server and thats its own certificate
second is an identity certificate that the CA signed for a web site (10.2.2.20) (using a CSR with "my-key")
third is another identity cert for 10.2.2.21 (using a CSR with "my-key")
I dont understand why It says "False" under the CA certificate ? the key matches the certificate and evrything works fine.
is it because this is the ACE identity certificate and not an actual CA certificate (self signed or delegated) ?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide