cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

Client Certificate Authentication, Works but Not as Expected

Jump to solution

First, I'm really dissapointed with this new Lithium forum engine, and the lack of notification features.  And, I posted a commented to the old Jive version of the discussion, and I don't know if anyone got notified about it.  I would be tickled pink if the forum was reverted back to Jive.

My original comment is here: https://community.mcafee.com/t5/Web-Gateway/Using-client-certficates-for-authentication-on-wg-7-2-0-...

But, I'll restate it here if it were preferred that this be a new discussion.

This client certificate authentication configuration gave me some serious headaches, but I seem to have gotten it working. I'll have to post some of my findings when I finish testing.

But, I need to confirm: it seems to be working without opening a separate port. Rule traces and packet traces confirms this. I've also disabled the extra port, and it's authenticating. The redirection happens, but the port on the URL isn't picked up by the browser, which is what the browser is supposed to send to the proxy as the destination, and I don't see how the browser is supposed to be told to redirect to a different proxy.

Yet, I can see the certificate exchange on the main proxy port, though Wireshark won't interpret it as such as an SSL certificate exchange. I have to read the certificate DN through the binary dump.

So, does this make sense, or am I looking in the wrong places?

1 Solution

Accepted Solutions

Re: Client Certificate Authentication, Works but Not as Expected

Jump to solution

I answered my own question, not thanks to a community killed by Lithium.  If a browser's proxy expetion list in the proxy settings is not set right, the browser will try to proxy the redirect to the "authentication server", leaving things on the proxy port.  And, because Wireshark recognizes it as a proxy port, it does not decode the SSL.  And, I've now got things working with a separate port for the authentication.

View solution in original post

1 Reply

Re: Client Certificate Authentication, Works but Not as Expected

Jump to solution

I answered my own question, not thanks to a community killed by Lithium.  If a browser's proxy expetion list in the proxy settings is not set right, the browser will try to proxy the redirect to the "authentication server", leaving things on the proxy port.  And, because Wireshark recognizes it as a proxy port, it does not decode the SSL.  And, I've now got things working with a separate port for the authentication.

View solution in original post

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community