GUI PIV auth on 9800-CL after upgrade to 17.3.3

erga · ‎04-29-2021

After upgrading my 9800-CL to 17.3.3 PIV auth via GUI doesn't work. I can log in via CLI using the PIV card.

This is my config

ip http secure-server
ip http secure-trustpoint HTTP
ip http secure-peer-verify-trustpoint HTTP
ip http secure-piv-based-auth secure-piv-based-author-only

I get ERR_SSL_PROTOCOL_ERROR when using this config and in the wireshark capture I just see Fatal Error, Internal error

If i remove

ip http secure-trustpoint HTTP
ip http secure-peer-verify-trustpoint HTTP

it prompts me to pick the certificate - interestingly it doesn't pick up all of them, I have two different piv cards - but then it generates an error

In my wireshark capture I see certificate unknown error

The same cert works for CLI

I'm confused at this point, not sure what else to look at

TIA

Grendizer · ‎04-29-2021

If it was working before with your config then it’s a bug and you need to contact TAC, but there is one missing command from your config:

“ip http secure-client-auth” – Set http secure server with client authentication - indicates that client cert should be verified.

Remember any changes with http need a reset using the below:

no ip http server

no ip http secure-server

ip http server

ip http secure-server

erga · ‎04-29-2021

Thank you, I added the line and get the same error. Our contract lapsed and while procurement works on it I’m trying to fix this. I will open a TAC case once everything is solved.