Hi PJ I am talking about the server's certificate validation. If there is a webserver behind the ASA and you are trying to access that using HTTPs through WebVPN then the webserver's cert is not shown to us for validation. The ASA does the validation and it seems the only validation is does, is to check if it the cert is expired with it's clock. The ASA can validate, if is a trusted cert or not as it doesn't have the root certs.
With regards Kings On Thu, Sep 30, 2010 at 7:51 PM, Pieter-Jan Nefkens < [email protected]> wrote: > Hi Kings, > > Did you test client-based certificate authentication, or server certificate > verification? > The last the ASA can do, as the ASA can have a dns-server configured, so it > can verify the subject of the certificate against the hostname you're trying > to connect to. (most common usage is that the client only validates that it > is connecting to the specified hostname and that the certificate belonging > to that hostname is valid). > > About the client-based certificate, it could be that the ASA is using his > certificate (if it's also from the same domain CA) as client authentication > and not the certificate of your browser. You don't see that much > client-based certificate authentication (WAAS Central manager and MS BITS > use it), but for browsers with end users, haven't come across them that > often > > HTH > > PJ > > On 30 sep 2010, at 16:09, Kingsley Charles wrote: > > Hi all > > When you access any site using HTTPS in the webvpn portal, the remote user > is never prompted with the certificate. The ASA does the certificate > validation. > How does the ASA do the cert validation? It doesn't have the certificate in > it's database then how come it is validating the cert? > > > > With regards > Kings > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > > --- > > Nefkens Advies > > Enk 26 > > 4214 DD Vuren > > The Netherlands > > > Tel: +31 183 634730 > > Fax: +31 183 690113 > > Cell: +31 654 323221 > > Email: [email protected] > > Web: http://www.nefkensadvies.nl/ > > Think before you print. > > > > >
<<green.gif>>
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
