Cisco Cisco Expressway Manuel De Maintenance
2. Configure certificate revocation lists (on the
CRL management
page).
3. Use the
Client certificate testing
page to verify that the client certificate you intend to use is valid.
4. Set Client certificate-based security to Certificate validation (on the
System administration
page).
5. Restart the Expressway.
6. Use the
Client certificate testing
page again to set up the required regex and format patterns to extract
the username credentials from the certificate.
7. Only when you are sure that the correct username is being extracted from the certificate, set Client
certificate-based security to Certificate-based authentication.
Authentication versus authorization
When the Expressway is operating in certificate-based authentication mode, user authentication is managed
by a process external to the Expressway.
by a process external to the Expressway.
When a user attempts to log in to the Expressway, the Expressway will request a certificate from the client
browser. The browser may then interact with a card reader to obtain the certificate from the smart card (or
alternatively the certificate may already be loaded into the browser). To release the certificate from the
card/browser, the user will typically be requested to authenticate themselves by entering a PIN. If the client
certificate received by the Expressway is valid (signed by a trusted certificate authority, in date and not
revoked by a CRL) then the user is deemed to be authenticated.
browser. The browser may then interact with a card reader to obtain the certificate from the smart card (or
alternatively the certificate may already be loaded into the browser). To release the certificate from the
card/browser, the user will typically be requested to authenticate themselves by entering a PIN. If the client
certificate received by the Expressway is valid (signed by a trusted certificate authority, in date and not
revoked by a CRL) then the user is deemed to be authenticated.
To determine the user's authorization level (read-write, read-only and so on) the Expressway must extract the
user's authorization username from the certificate and present it to the relevant local or remote authorization
mechanism.
user's authorization username from the certificate and present it to the relevant local or remote authorization
mechanism.
Note that if the client certificate is not protected (by a PIN or some other mechanism) then unauthenticated
access to the Expressway may be possible. This lack of protection may also apply if the certificates are
stored in the browser, although some browsers do allow you to password protect their certificate store.
access to the Expressway may be possible. This lack of protection may also apply if the certificates are
stored in the browser, although some browsers do allow you to password protect their certificate store.
Obtaining the username from the certificate
The username is extracted from the client browser's certificate according to the patterns defined in the
Regex and Username format fields on the
Regex and Username format fields on the
Certificate-based authentication configuration
page:
n
In the Regex field, use the (?<name>regex) syntax to supply names for capture groups so that
matching sub-patterns can be substituted in the associated Username format field, for example,
/(Subject:.*, CN=(?<Group1>.*))/m
matching sub-patterns can be substituted in the associated Username format field, for example,
/(Subject:.*, CN=(?<Group1>.*))/m
.
.
n
The Username format field can contain a mixture of fixed text and the capture group names used in the
Regex. Delimit each capture group name with #, for example, prefix#Group1#suffix. Each capture
group name will be replaced with the text obtained from the regular expression processing.
Regex. Delimit each capture group name with #, for example, prefix#Group1#suffix. Each capture
group name will be replaced with the text obtained from the regular expression processing.
Username format combinations to a certificate.
Testing client certificates
The
Client certificate testing
page (
Maintenance > Security certificates > Client certificate testing
) is
. You can:
Cisco Expressway Administrator Guide (X8.1)
Page 184 of 344
Maintenance
About security certificates