Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
644
Views
0
Helpful
1
Replies

asa CA server permits to bypass access via certificate

pvanliere
Level 1
Level 1

‎02-21-2008 07:04 AM - edited ‎03-11-2019 05:06 AM

I am configuring an ASA5520, which is acting as a Certificate server.

The CA server is enabled and I have issued some client certificates.

I have enabled the following commands:

webvpn

enable outside

ssl certificate-authentication interface outside port 443

When I login on the outside I am presented with a request for selecting a client certificate.

When I select this certificate I have access to the web-page of the ASA.

So far OK!

However, when I start a new session and

hit escape on the keyboard when the ASA requests a client certificate, I also get access?!?!?!?!

It bypasses the authentication!

When I enable this on the inside interface (just for testing):

webvpn

enable inside

ssl cert-auth int inside port 443

In that case, when I hit escpae, I get a 401 unauthorized message.

This should also be true on the outside.

Can anyone tell me what I am doing wrong?

Labels:
0 Helpful
1 Reply 1

paulomv
Level 1
Level 1

‎02-29-2008 04:06 AM

Do you have your tunnel group configured for Certificate Authentication?

It seems you enabled the interface Outside to ask for Certificates but probably your Tunnel Group Authentication Policy is not configured to authenticate by Certificate or both Methods (AAA and Certificate)

Check the config of your tunnel group.

Cheers

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card