Cisco Cisco Expressway Manuale Di Manutenzione
Field
Description
Usage tips
Client
certificate-
based
security
certificate-
based
security
Controls the level of security required
to allow client systems (typically web
browsers) to communicate with the
Expressway over HTTPS.
to allow client systems (typically web
browsers) to communicate with the
Expressway over HTTPS.
Not required: the client system does
not have to present any form of
certificate.
not have to present any form of
certificate.
Certificate validation: the client
system must present a valid
certificate that has been signed by a
trusted certificate authority (CA). Note
that a restart is required if you are
changing from Not required to
Certificate validation.
system must present a valid
certificate that has been signed by a
trusted certificate authority (CA). Note
that a restart is required if you are
changing from Not required to
Certificate validation.
Certificate-based authentication: the
client system must present a valid
certificate that has been signed by a
trusted CA and contains the client's
authentication credentials.
client system must present a valid
certificate that has been signed by a
trusted CA and contains the client's
authentication credentials.
Default: Not required
Important:
Enabling Certificate validation means that your
browser (the client system) can use the Expressway
web interface only if it has a valid (in date and not
revoked by a CRL) client certificate that is signed by a
CA in the Expressway's trusted CA certificate list.
browser (the client system) can use the Expressway
web interface only if it has a valid (in date and not
revoked by a CRL) client certificate that is signed by a
CA in the Expressway's trusted CA certificate list.
Ensure your browser has a valid client certificate
before enabling this feature. The procedure for
uploading a certificate to your browser may vary
depending on the browser type and you may need to
restart your browser for the certificate to take effect.
before enabling this feature. The procedure for
uploading a certificate to your browser may vary
depending on the browser type and you may need to
restart your browser for the certificate to take effect.
page.
Enabling Certificate-based authentication means that
the standard login mechanism is no longer available.
You can log in only if your browser certificate is valid
and the credentials it provides have the appropriate
authorization levels. You can configure how the
Expressway extracts credentials from the browser
certificate on the
the standard login mechanism is no longer available.
You can log in only if your browser certificate is valid
and the credentials it provides have the appropriate
authorization levels. You can configure how the
Expressway extracts credentials from the browser
certificate on the
This setting does not affect client verification of the
Expressway's server certificate.
Expressway's server certificate.
Certificate
revocation list
(CRL)
checking
revocation list
(CRL)
checking
Specifies whether HTTPS client
certificates are checked against
certificate revocation lists (CRLs).
certificates are checked against
certificate revocation lists (CRLs).
None: no CRL checking is performed.
Peer: only the CRL associated with
the CA that issued the client's
certificate is checked.
the CA that issued the client's
certificate is checked.
All: all CRLs in the trusted certificate
chain of the CA that issued the
client's certificate are checked.
chain of the CA that issued the
client's certificate are checked.
Default: All
Only applies if Client certificate-based security is
enabled.
enabled.
CRL
inaccessibility
fallback
behavior
inaccessibility
fallback
behavior
Controls the revocation checking
behavior if the revocation status
cannot be established, for example if
the revocation source cannot be
contacted.
behavior if the revocation status
cannot be established, for example if
the revocation source cannot be
contacted.
Treat as revoked: treat the certificate
as revoked (and thus do not allow the
TLS connection).
as revoked (and thus do not allow the
TLS connection).
Treat as not revoked: treat the
certificate as not revoked.
certificate as not revoked.
Default: Treat as not revoked
Only applies if Client certificate-based security is
enabled.
enabled.
Cisco Expressway Administrator Guide (X8.1.1)
Page 34 of 343
Network and system settings
Network services