Cisco SPA2102-AU Provisioning Guide - Page 57

HTTPS With Client Certificate Authentication, HTTPS Client Filtering and Dynamic Content

Get Cisco SPA2102-AU PDF manuals and user guides View all Cisco SPA2102-AU manuals
Add to My Manuals
Save this manual to your list of manuals

Page 57 highlights

Chapter 3 Provisioning Tutorial Secure Resync HTTPS With Client Certificate Authentication In the factory default configuration, the server does not request SSL client certificates from clients. After changing the configuration to enable client authentication, the server requires a client certificate to authenticate the SPA before accepting a connection request. Because of this, the resync operation in this exercise cannot be independently tested using a browser lacking the proper credentials. Nevertheless, the SSL key exchange within the HTTPS connection between the test SPA and the server can be observed using the ssldump utility. The utility trace shows the interaction between client and server. Exercise Step 1 Step 2 Step 3 Step 4 Enable client certificate authentication on the HTTPS server. In Apache (v.2), set the following in the server configuration file: SSLVerifyClient require Also ensure that the spacroot.cert has been stored as shown in the previous exercise. Restart the HTTPS server and observe the syslog trace from the SPA. Each resync to the server now performs symmetric authentication, so that both server and client certificates are verified before the profile is transferred. Using ssldump, capture a resync connection between the SPA and the HTTPS server. If client certificate verification is properly enabled on the server, the ssldump trace shows the symmetric exchange of certificates (first server-to-client, then client-to-server) before the encrypted packets containing the profile. With client authentication enabled, only a SPA with a MAC address matching a valid client certificate can request the profile from the provisioning server. A request from an ordinary browser or other unauthorized device is rejected by the server. HTTPS Client Filtering and Dynamic Content If the HTTPS server is configured to require client certificates, the information in each certificate identifies the resyncing SPA and supplies it with the correct configuration information. The HTTPS server makes the certificate information available to CGI scripts (or compiled CGI programs) invoked as part of the resync request. For the purpose of illustration, this exercise uses the open source Perl scripting language, and assumes that Apache (v.2) is used as the HTTPS server. Exercise Step 1 Step 2 Install Perl on the host running the HTTPS server. Generate the following Perl reflector script: #!/usr/bin/perl -wT use strict; print "Content-Type: text/plain\n\n"; print ""; Version 3.0 Linksys SPA Provisioning Guide 3-9

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70
  • 71
  • 72
  • 73
  • 74
  • 75
  • 76
  • 77
  • 78
  • 79
  • 80
  • 81
  • 82
  • 83
  • 84
  • 85
  • 86
  • 87
  • 88
  • 89
  • 90
  • 91
  • 92
  • 93
  • 94
3-9
Linksys SPA Provisioning Guide
Version 3.0
Chapter 3
Provisioning Tutorial
Secure Resync
HTTPS With Client Certificate Authentication
In the factory default configuration, the server does not request SSL client certificates from clients. After
changing the configuration to enable client authentication, the server requires a client certificate to
authenticate the SPA before accepting a connection request.
Because of this, the resync operation in this exercise cannot be independently tested using a browser
lacking the proper credentials. Nevertheless, the SSL key exchange within the HTTPS connection
between the test SPA and the server can be observed using the ssldump utility. The utility trace shows
the interaction between client and server.
Exercise
Step 1
Enable client certificate authentication on the HTTPS server.
Step 2
In Apache (v.2), set the following in the server configuration file:
SSLVerifyClient
require
Also ensure that the spacroot.cert has been stored as shown in the previous exercise.
Step 3
Restart the HTTPS server and observe the syslog trace from the SPA.
Each resync to the server now performs symmetric authentication, so that both server and client
certificates are verified before the profile is transferred.
Step 4
Using ssldump, capture a resync connection between the SPA and the HTTPS server.
If client certificate verification is properly enabled on the server, the ssldump trace shows the symmetric
exchange of certificates (first server-to-client, then client-to-server) before the encrypted packets
containing the profile.
With client authentication enabled, only a SPA with a MAC address matching a valid client certificate
can request the profile from the provisioning server. A request from an ordinary browser or other
unauthorized device is rejected by the server.
HTTPS Client Filtering and Dynamic Content
If the HTTPS server is configured to require client certificates, the information in each certificate
identifies the resyncing SPA and supplies it with the correct configuration information.
The HTTPS server makes the certificate information available to CGI scripts (or compiled CGI
programs) invoked as part of the resync request. For the purpose of illustration, this exercise uses the
open source Perl scripting language, and assumes that Apache (v.2) is used as the HTTPS server.
Exercise
Step 1
Install Perl on the host running the HTTPS server.
Step 2
Generate the following Perl reflector script:
#!/usr/bin/perl -wT
use strict;
print “Content-Type: text/plain\n\n”;
print “<flat-profile><GPP_D>”;