cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

Client Certificate Authentication, Works but Not as Expected

Jump to solution

First, I'm really dissapointed with this new Lithium forum engine, and the lack of notification features.  And, I posted a commented to the old Jive version of the discussion, and I don't know if anyone got notified about it.  I would be tickled pink if the forum was reverted back to Jive.

My original comment is here: https://community.mcafee.com/t5/Web-Gateway/Using-client-certficates-for-authentication-on-wg-7-2-0-...

But, I'll restate it here if it were preferred that this be a new discussion.

This client certificate authentication configuration gave me some serious headaches, but I seem to have gotten it working. I'll have to post some of my findings when I finish testing.

But, I need to confirm: it seems to be working without opening a separate port. Rule traces and packet traces confirms this. I've also disabled the extra port, and it's authenticating. The redirection happens, but the port on the URL isn't picked up by the browser, which is what the browser is supposed to send to the proxy as the destination, and I don't see how the browser is supposed to be told to redirect to a different proxy.

Yet, I can see the certificate exchange on the main proxy port, though Wireshark won't interpret it as such as an SSL certificate exchange. I have to read the certificate DN through the binary dump.

So, does this make sense, or am I looking in the wrong places?

1 Solution

Accepted Solutions

Re: Client Certificate Authentication, Works but Not as Expected

Jump to solution

I answered my own question, not thanks to a community killed by Lithium.  If a browser's proxy expetion list in the proxy settings is not set right, the browser will try to proxy the redirect to the "authentication server", leaving things on the proxy port.  And, because Wireshark recognizes it as a proxy port, it does not decode the SSL.  And, I've now got things working with a separate port for the authentication.

1 Reply

Re: Client Certificate Authentication, Works but Not as Expected

Jump to solution

I answered my own question, not thanks to a community killed by Lithium.  If a browser's proxy expetion list in the proxy settings is not set right, the browser will try to proxy the redirect to the "authentication server", leaving things on the proxy port.  And, because Wireshark recognizes it as a proxy port, it does not decode the SSL.  And, I've now got things working with a separate port for the authentication.

Member Rewards
McAfee Community rewards active and helpful members just like you. Click here to take a look at the first community members who received a special reward and were recognized by McAfee leader, Aneel Jaeel, for their participation and trusted knowledge in the community.