Authentication Group Configuration Mode Commands
Authentication group configuration mode commands allow you to configure client authentication on a Secure Sockets Layer (SSL)-proxy service by assigning the authentication group to the service.
To create an authentication group and access authgroup configuration mode, use the crypto authgroup command. The CLI prompt changes to (config-authgroup). Use the no form of this command to delete an existing authentication group.
crypto authgroup group_name
no crypto authgroup group_name
Syntax Description
group_name |
Name that you assign to the certificate authentication group. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters. |
Command Modes
Configuration mode
Admin and user contexts
Command History
|
|
A2(1.0) |
This command was introduced. |
|
|
A3(1.0) |
This command was introduced. |
Usage Guidelines
This command requires the SSL feature in your user role. For details about role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
During the flow of a normal SSL handshake, the server send its certificate to the client. The client verifies the identity of the server through the certificate. However, the client does not send any identification of its own to the server. When the client authentication feature is enabled on the ACE, it requires that the client send a certificate to the server.
On the ACE, you can implement a group of certificates that are trusted as certificate signers by creating an authentication group.
Examples
To create the authentication group AUTH-CERT1, enter:
host1/Admin(config)# crypto authgroup AUTH-CERT1
Related Commands
(config) ssl-proxy service
(config-authgroup) cert
To add certificate files to the authentication group, use the cert command. You can configure an authentication group with up to ten certificates. Use the no form of this command to remove a certificate file from the authentication group.
cert cert_filename
no cert cert_filename
Syntax Description
cert_filename |
Name of an existing certificate file stored on the ACE. Enter an unquoted text string with no spaces and a maximum of 40 alphanumeric characters. To display a list of available certificate files, use the do show crypto files command. |
Command Modes
Chaingroup configuration mode
Admin and user contexts
Command History
|
|
A2(1.0) |
This command was introduced. |
A2(3.0) |
The number of certificates in an authentication group increased from 4 to 10. |
|
|
A3(1.0) |
This command was introduced. |
A4(1.0) |
The number of certificates in an authentication group increased from 4 to 10. |
Usage Guidelines
It is not necessary to add the certificates in any type of hierarchical order because the device that verifies the certificates determines the correct order.
Examples
To add the certificate files MYCERTS.PEM and MYCERTS_2.PEM to the authentication group, enter:
host1/Admin(config-authgroup)#
cert MYCERTS.PEM
host1/Admin(config-authgroup)#
cert MYCERTS_2.PEM
To remove the certificate file MYCERTS_2.PEM from the authentication group, enter:
host1/Admin(config-authgroup)#
no cert MYCERTS_2.PEM
Related Commands
(config) crypto authgroup