Showing results for 
Search instead for 
Did you mean: 

Redirection question



I want to use an ACE appliance as an ssl proxy with user certificate authentication  .

everything is configured and working fine but I want to know if I could redirect users that dont have a certificate to a certain web page

so that they would know why they cant access internal resources and know how to fix it. ?


4 Replies 4

Gilles Dufour
Cisco Employee
Cisco Employee

Scimitar1/Admin(config-parammap-ssl)# authentication-failure redirect ?
  any                         Any authentication failure
  cert-expired                Certificate expired
  cert-has-signature-failure  Certificate failed signature verification
  cert-not-yet-valid          Certificate not yet valid
  cert-other-error            Miscellaneous certificate error
  cert-revoked                Certificate revoked
  crl-has-expired             CRL has expired
  crl-not-available           No CRL available
  no-client-cert              No client certificate presented
  unknown-issuer              Unknown issuer

Configure the command above under your ssl parameter-map.


thanks man , but I only have 1 option after authentication-failure

and its "ignore" . I dont have all of the options you stated above.

I am using ver A3(2.6)

so I upgraded to that version and sure enough the commands are available


the redirection works excellent !!

I have a question : Is there a way to download crl manually ? I dont want to reconfigure the CRL under the ssl-proxy each time I need to download

a new published CRL .

basically what I am asking is there a way to make the ACE download CRL more frequently and not be dependent on the CA servers publish

Interval ? It seems kind of strange that I have to delete my CRL configuration and paste it back in to "make" the ACE download a new CRL.


I have attached a screenshoot from my configuration in order to ask for a clarification .

In the picture you see that I have 3 certificates (besides the default)

one that I downloaded from the CA server and thats its own certificate

second is an identity certificate that the CA signed for a web site ( (using a CSR with "my-key")

third is another identity cert for (using a CSR with "my-key")

I dont understand why It says "False" under the CA certificate ? the key matches the certificate and evrything works fine.

is it because this is the ACE identity certificate and not an actual CA certificate (self signed or delegated) ?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers