Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1427
Views
0
Helpful
3
Replies

Restricting access to a URL based on the client certificate

Go to solution
pratheesh.venu
Level 1
Level 1

‎03-27-2013 04:01 PM

Hi,

I am using a Cisco ACE want to explore options available for controlling access to web url.

Is it possible  to restrict access to a URL based up on the client certificate.

I wan to keep the URL open to the internet and accessible only for a limited set of users. I will be generating self certificate and will distribute the client certificate to those specific set of users. This way I can control access to the URL without having to change the firewall rules etc

Please share your thought and let me know if any of you have implemented similar solution

Regards

Pratheesh

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Kanwaljeet Singh
Cisco Employee
Cisco Employee

‎03-28-2013 01:55 AM

Hi Pratheesh,

If you are going to use client authentication in SSL and if client authentication fails since not all users will have client cert provided by you, SSL handshake will not complete and hence no access. But this is a performance impacting option. Restricting access on FW would be a good option.

During the flow of a normal SSL handshake, the server sends its certificate to the client. The client verifies the identity of the server through the certificate. However, the client does not send any identification of its own to the server. When you enable the client authentication feature on the ACE, the ACE requires that the client sends a certificate to the server. The server then verifies the following information on the certificate:

The CA has not revoked the certificate.The certificate signature is valid. The valid period of the certificate is still in effect. A recognized CA issued the certificate.

You can specify the certificate authentication group that the ACE uses during the SSL handshake and enable client authentication on this SSL proxy service by using the 

authgroup command in SSL proxy configuration mode. The ACE includes the certificates configured in the group with the certificate that you specified for the SSL proxy service

Regards,

Kanwal

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Kanwaljeet Singh
Cisco Employee
Cisco Employee

‎03-28-2013 01:55 AM

Hi Pratheesh,

If you are going to use client authentication in SSL and if client authentication fails since not all users will have client cert provided by you, SSL handshake will not complete and hence no access. But this is a performance impacting option. Restricting access on FW would be a good option.

During the flow of a normal SSL handshake, the server sends its certificate to the client. The client verifies the identity of the server through the certificate. However, the client does not send any identification of its own to the server. When you enable the client authentication feature on the ACE, the ACE requires that the client sends a certificate to the server. The server then verifies the following information on the certificate:

The CA has not revoked the certificate.The certificate signature is valid. The valid period of the certificate is still in effect. A recognized CA issued the certificate.

You can specify the certificate authentication group that the ACE uses during the SSL handshake and enable client authentication on this SSL proxy service by using the 

authgroup command in SSL proxy configuration mode. The ACE includes the certificates configured in the group with the certificate that you specified for the SSL proxy service

Regards,

Kanwal

0 Helpful

Go to solution
pratheesh.venu
Level 1
Level 1
In response to Kanwaljeet Singh

‎03-28-2013 07:03 AM

Thank You Kanwaljeet.

I am planning to use a Self Signed certificate.

As you indicated, normally we will load only the Server certificate to ACE and associate with the URL.

In  my scenario, will I have to load ( private CA certificate (bundle) and the Server Certificate and Cleint Certificate) to the Ace?

I would need to restrict the access only for the set of users with the client certificate I intend to share. I understand the comment on performance, however Firewall restriction is not an option at this time.

Do you have any configuration template on this. Thank You.

Thank you and appreciate your time.

Regards

Pratheesh

0 Helpful

Go to solution
Cesar Roque
Level 4
Level 4
In response to pratheesh.venu

‎03-28-2013 10:28 AM

Hi Pratheesh,

You will need just the Root certificate that was used to sign the client certificates.  You dont need to upload the client certificates to the ACE

---------------------
Cesar R
ANS Team

--------------------- Cesar R ANS Team
0 Helpful
Customers Also Viewed These Support Documents