Forum Discussion

Cirrus

Oct 25, 2015

On-Demand Cert Auth Fallback

Hi All! i have an APM Policy with Smartcard Authentication. if no smartcard/certificate detected i want to configure fallback action to redirect to some explanation url on some web site. i ...

Kevin_Stewart

Employee

Oct 28, 2015

So Just to be clear the On-Demand Cert Auth should configured to "request" and the client SSL profile Certificate should be set to ignore?

Correct.

what is the different between request to ignore practically?

Ignore doesn't ask for a client cert and Request asks for one but fails open if the certificate is missing or invalid.

The point is that you shouldn't have TWO places where you're asking for a client certificate. The Client SSL profile will perform mutual authentication in the initial SSL handshake, while the APM On-Demand Cert Auth agent will perform an SSL renegotiation to "step-up" to mutual authentication. Some browsers can handle both, but it's never advisable to set it in both places.

Help guide the future of your DevCentral Community!

What tools do you use to collaborate? (1min - anonymous)