Cisco Cisco Expressway Maintenance Manual
Field
Description
Usage tips
Allow CRL
downloads
from CDPs
downloads
from CDPs
Controls whether the download of CRLs from the CDP
URIs contained in X.509 certificates is allowed.
URIs contained in X.509 certificates is allowed.
Fallback
behavior
behavior
Controls the revocation checking behavior if the
revocation status cannot be established, for example if
the revocation source cannot be contacted.
revocation status cannot be established, for example if
the revocation source cannot be contacted.
Treat as revoked: treat the certificate as revoked (and
thus do not allow the TLS connection).
thus do not allow the TLS connection).
Treat as not revoked: treat the certificate as not
revoked.
revoked.
Default: Treat as not revoked
Treat as not revoked ensures that
your system continues to operate
in a normal manner if the
revocation source cannot be
contacted, however it does
potentially mean that revoked
certificates will be accepted.
your system continues to operate
in a normal manner if the
revocation source cannot be
contacted, however it does
potentially mean that revoked
certificates will be accepted.
Configuring certificate-based authentication
The
Certificate-based authentication configuration
page (
Maintenance > Security certificates >
Certificate-based authentication configuration
) is used to configure how the Expressway retrieves
authorization credentials (the username) from a client browser's certificate.
page) has been
set to Certificate-based authentication. This setting means that the standard login mechanism is no longer
available and that administrators can log in only if they present a valid browser certificate — typically
provided via a smart card (also referred to as a Common Access Card or CAC) — and the certificate contains
appropriate credentials that have a suitable authorization level.
available and that administrators can log in only if they present a valid browser certificate — typically
provided via a smart card (also referred to as a Common Access Card or CAC) — and the certificate contains
appropriate credentials that have a suitable authorization level.
Enabling certificate-based authentication
The recommended procedure for enabling certificate-based authentication is described below:
1. Add the Expressway's trusted CA and server certificate files (on the
Trusted CA certificate
and
Server
certificate
pages, respectively).
2. Configure certificate revocation lists (on the
CRL management
page).
3. Use the
Client certificate testing
page to verify that the client certificate you intend to use is valid.
4. Set Client certificate-based security to Certificate validation (on the
System administration
page).
5. Restart the Expressway.
6. Use the
Client certificate testing
page again to set up the required regex and format patterns to extract
the username credentials from the certificate.
7. Only when you are sure that the correct username is being extracted from the certificate, set Client
certificate-based security to Certificate-based authentication.
Authentication versus authorization
When the Expressway is operating in certificate-based authentication mode, user authentication is managed
by a process external to the Expressway.
by a process external to the Expressway.
When a user attempts to log in to the Expressway, the Expressway will request a certificate from the client
browser. The browser may then interact with a card reader to obtain the certificate from the smart card (or
alternatively the certificate may already be loaded into the browser). To release the certificate from the
browser. The browser may then interact with a card reader to obtain the certificate from the smart card (or
alternatively the certificate may already be loaded into the browser). To release the certificate from the
Cisco Expressway Administrator Guide (X8.5.2)
Page 230 of 403
Maintenance
About security certificates