Cisco Cisco Expressway Maintenance Manual
card/browser, the user will typically be requested to authenticate themselves by entering a PIN. If the client
certificate received by the Expressway is valid (signed by a trusted certificate authority, in date and not
revoked by a CRL) then the user is deemed to be authenticated.
certificate received by the Expressway is valid (signed by a trusted certificate authority, in date and not
revoked by a CRL) then the user is deemed to be authenticated.
To determine the user's authorization level (read-write, read-only and so on) the Expressway must extract the
user's authorization username from the certificate and present it to the relevant local or remote authorization
mechanism.
user's authorization username from the certificate and present it to the relevant local or remote authorization
mechanism.
Note that if the client certificate is not protected (by a PIN or some other mechanism) then unauthenticated
access to the Expressway may be possible. This lack of protection may also apply if the certificates are
stored in the browser, although some browsers do allow you to password protect their certificate store.
access to the Expressway may be possible. This lack of protection may also apply if the certificates are
stored in the browser, although some browsers do allow you to password protect their certificate store.
Obtaining the username from the certificate
The username is extracted from the client browser's certificate according to the patterns defined in the
Regex and Username format fields on the
Regex and Username format fields on the
Certificate-based authentication configuration
page:
n
In the Regex field, use the (?<name>regex) syntax to supply names for capture groups so that
matching sub-patterns can be substituted in the associated Username format field, for example,
/(Subject:.*, CN=(?<Group1>.*))/m
matching sub-patterns can be substituted in the associated Username format field, for example,
/(Subject:.*, CN=(?<Group1>.*))/m
.
.
n
The Username format field can contain a mixture of fixed text and the capture group names used in the
Regex. Delimit each capture group name with #, for example, prefix#Group1#suffix. Each capture
group name will be replaced with the text obtained from the regular expression processing.
Regex. Delimit each capture group name with #, for example, prefix#Group1#suffix. Each capture
group name will be replaced with the text obtained from the regular expression processing.
Username format combinations to a certificate.
Testing client certificates
The
Client certificate testing
page (
Maintenance > Security certificates > Client certificate testing
) is
. You can:
n
Test whether a client certificate is valid when checked against the Expressway's current trusted CA list
and, if loaded, the revocation list (see
and, if loaded, the revocation list (see
).
n
Test the outcome of applying the regex and template patterns that retrieve a certificate's authorization
credentials (the username).
credentials (the username).
You can test against:
n
a certificate on your local file system
n
the browser's currently loaded certificate
To test if a certificate is valid:
1. Select the Certificate source. You can choose to:
l
upload a test file from your file system in either PEM or plain text format; if so click Browse to select
the certificate file you want to test
the certificate file you want to test
l
test against the certificate currently loaded into your browser (only available if the system is already
configured to use Certificate validation and a certificate is currently loaded)
configured to use Certificate validation and a certificate is currently loaded)
2. Ignore the
Certificate-based authentication pattern
section - this is only relevant if you are extracting
authorization credentials from the certificate.
Cisco Expressway Administrator Guide (X8.5.2)
Page 231 of 403
Maintenance
About security certificates