cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
johnaldridge
Level 10
Report Inappropriate Content
Message 1 of 2
‎03-05-2018 06:49 AM

Client Certificate Authentication, Works but Not as Expected

Jump to solution

First, I'm really dissapointed with this new Lithium forum engine, and the lack of notification features.  And, I posted a commented to the old Jive version of the discussion, and I don't know if anyone got notified about it.  I would be tickled pink if the forum was reverted back to Jive.

My original comment is here: https://community.mcafee.com/t5/Web-Gateway/Using-client-certficates-for-authentication-on-wg-7-2-0-...

But, I'll restate it here if it were preferred that this be a new discussion.

This client certificate authentication configuration gave me some serious headaches, but I seem to have gotten it working. I'll have to post some of my findings when I finish testing.

But, I need to confirm: it seems to be working without opening a separate port. Rule traces and packet traces confirms this. I've also disabled the extra port, and it's authenticating. The redirection happens, but the port on the URL isn't picked up by the browser, which is what the browser is supposed to send to the proxy as the destination, and I don't see how the browser is supposed to be told to redirect to a different proxy.

Yet, I can see the certificate exchange on the main proxy port, though Wireshark won't interpret it as such as an SSL certificate exchange. I have to read the certificate DN through the binary dump.

So, does this make sense, or am I looking in the wrong places?

0 Kudos
Reply
1 Solution

Accepted Solutions
johnaldridge
Level 10
Report Inappropriate Content
Message 2 of 2
‎11-02-2018 12:43 PM

Re: Client Certificate Authentication, Works but Not as Expected

Jump to solution

I answered my own question, not thanks to a community killed by Lithium.  If a browser's proxy expetion list in the proxy settings is not set right, the browser will try to proxy the redirect to the "authentication server", leaving things on the proxy port.  And, because Wireshark recognizes it as a proxy port, it does not decode the SSL.  And, I've now got things working with a separate port for the authentication.

View solution in original post

0 Kudos
Reply
1 Reply
johnaldridge
Level 10
Report Inappropriate Content
Message 2 of 2
‎11-02-2018 12:43 PM

Re: Client Certificate Authentication, Works but Not as Expected

Jump to solution

I answered my own question, not thanks to a community killed by Lithium.  If a browser's proxy expetion list in the proxy settings is not set right, the browser will try to proxy the redirect to the "authentication server", leaving things on the proxy port.  And, because Wireshark recognizes it as a proxy port, it does not decode the SSL.  And, I've now got things working with a separate port for the authentication.

0 Kudos
Reply
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use our Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from product experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by employees.
Join the Community
Join the Community

TrellixSkyhigh Security | Support Trellix.com SkyhighSecurity.com

Legal Privacy Copyright © 2023 Musarubra US LLC