Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1015
Views
15
Helpful
3
Replies

Expressway certificate-based authentication

Go to solution
david.alfaro1
Level 1
Level 1

‎12-31-2021 07:46 PM - edited ‎01-01-2022 02:47 PM

Hello dears,

I would like to know if someone has configured how the Expressway retrieves authorization credentials (username) from a client browser'certificate, without standard log in mechanism.

The documentation explains the process configuring the Regex and Username Format fields on the Certificate-based authentication configuration page; the problem is the documentation just says the syntax "(?<name>regex)" for the  Regex field, and the syntax "/(Subject:.*, CN=(?<Group1>.*))m". And it says delimiting each capture group name with #, for example "prefix#Group1#suffix".

My questions is, could you share an example how to write the syntaxes in these two fields having the following particular certificate Subject and CN, let's to say:

 

Subject: OU=Domain Control Validated, CN=amer-expressway01.ciscotac.net

 

I would appreciate your help, because the documentation is not clear enough and furthermore I do not know so much PHP.

 

Kind regards,

1 Accepted Solution

Accepted Solutions

Go to solution
david.alfaro1
Level 1
Level 1

‎02-13-2022 09:36 PM

Hello, I guess I found the explanation,

 

In the Regex field use the (?<name>regex) syntax to supply names for capture group (they are just like objects or variables) so that matching minor sub-patterns can be substituted in the associated Username Format field, in this case for example /(^Subject:.*, CN=(?<group1>.ciscotac.net)$)/

In the Username Format field we can delimit as #group1#. In that variable we can capture then the name amer-expressway01 as de username we were looking for authorization credentials, all of these when we find the structure of the text "Subject: OU=Domain Control Validated, CN=amer-expressway01.ciscotac.net"

 

Best regards,

View solution in original post

0 Helpful
3 Replies 3

Go to solution
b.winter
VIP
VIP

‎01-02-2022 10:58 PM

Hi,

 

can't you just set up SSO, where the only authentication mechanism in the IDP is based on a certificate, instead of username password?

I have never deployed that on my own, but I would be my first idea on how to do that.

 

Best regards

 

--- Please rate this post as "Helpful" or accept as a solution, if your question has been answered ---

 

Go to solution
david.alfaro1
Level 1
Level 1
In response to b.winter

‎01-03-2022 07:11 PM

Hello again b.winter

 

The main idea is that Expressway retrieves authorization credentials from a Certificate and standard login is no longer available, so that an administrator  can log in only if they present a valid browser certificate therefore the certificate contains the appropiate credentials that have the authorization level. The username authorization would be relayed to another external mechanism (in a Idp or an AD, I am not sure just now to be honest. Furthermore the users want to release the certificate from the browser entering a PIN, it is notable that they are married with the security). For now the idea is take advantage about avoiding to rely in the standar manual https log in to the expressway from outside, using the Regex and Username Format fields in the expressway certificate-based authentication configuration page, but I do not have idea how to set up the syntaxes in these fields (if for example the certificate has "Subject: OU=Domain Control Validated, CN=amer-expressway01.ciscotac.net" how to set up these fields); the documentation just says "(?<name>regex)" and "/(Subject:.*, CN=(?<Group1>.*))/m" respectively for each field, and it is no clear where to capture each group name with #, the documentation just says "for example prefix#Group1#suffix", so it is not understandable.

 

Best regards

 

Go to solution
david.alfaro1
Level 1
Level 1

‎02-13-2022 09:36 PM

Hello, I guess I found the explanation,

 

In the Regex field use the (?<name>regex) syntax to supply names for capture group (they are just like objects or variables) so that matching minor sub-patterns can be substituted in the associated Username Format field, in this case for example /(^Subject:.*, CN=(?<group1>.ciscotac.net)$)/

In the Username Format field we can delimit as #group1#. In that variable we can capture then the name amer-expressway01 as de username we were looking for authorization credentials, all of these when we find the structure of the text "Subject: OU=Domain Control Validated, CN=amer-expressway01.ciscotac.net"

 

Best regards,

0 Helpful
Customers Also Viewed These Support Documents