Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
890
Views
0
Helpful
2
Replies

SSL Client Auth based on URL

CSCO11456565
Level 1
Level 1

‎11-18-2012 03:00 AM

Hi guys,

I'm trying to do client Authentication only for certain type of urls. The vip has to be the same.

I post an example of config... but this solution doesn't works

But is there a solution?

crypto chaingroup Chaingroup_CA

  cert CA.crt

crypto authgroup AUTH-CERT

  cert CA.crt

ssl-proxy service SSL_RProxy

  key ...

  cert ...

  authgroup AUTH-CERT

ssl-proxy service SSL_RProxy_NOAUTH

  key ...

  cert ...

class-map type http loadbalance match-any URL_NOAUTH

  2 match http url /SissWayClient(/.*)?

  3 match http url /ConfigurationManager(/.*)?

class-map match-all L4_VIP_RProxy

  2 match virtual-address 172.25.221.30 tcp eq https

class-map match-all L4_VIP_RProxy_NOAUTH

  2 match virtual-address 172.25.221.30 tcp eq https

policy-map type loadbalance first-match L7_POLICY_RProxy_NOAUTH

  class URL_NOAUTH

    sticky-serverfarm STICKY

policy-map type loadbalance first-match L7_POLICY_RProxy

  class class-default

    sticky-serverfarm STICKY

policy-map multi-match L4_POLICY_FE

  class L4_VIP_RProxy_NOAUTH

    loadbalance vip inservice

    loadbalance policy L7_POLICY_RProxy_NOAUTH

    ssl-proxy server SSL_RProxy_NOAUTH

  class L4_VIP_RProxy

    loadbalance vip inservice

    loadbalance policy L7_POLICY_RProxy

    ssl-proxy server SSL_RProxy

Thanks in advance

Labels:
0 Helpful
2 Replies 2

Kanwaljeet Singh
Cisco Employee
Cisco Employee

‎11-21-2012 05:55 AM

Hi Igor,

I don't think that is possible on ACE since client authentication is part of SSL handshake. The problem is that the server doesn't know if the client wants https://abc.com or https://abc.com/xyz until the SSL handshake has been completed. Only after SSH handshake is completed, ACE would be able to look into the URL and take LB decision, don't know of any way we can tell ACE to request for client authentication at that point which will mean complete ssl handshake again. I do see that can be done on Apache server etc but i am not aware of any way that can be done on ACE.

Regards,

Kanwal

0 Helpful

CSCO11456565
Level 1
Level 1
In response to Kanwaljeet Singh

‎11-23-2012 02:30 AM

Thanks Kanwal

Yes it can be done with Apache. But if, for the selected urls, the connection goes in clear? Doesen't matter? Could be possible instruct the ACE to change the vip if a particular class-map is not matched?

Thanks

Igor

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card