2-Factor with certificate -> user check

Hi,

I've got following scenario:

I should configure a 2-Factor-Authentication with an user certificate. So in the first place, it should be normal AD-Auth, and as for the second factor, the user should be asked for his certificate.

I've imported the user-certificate for user test1 into the browser and created this policy:

I've imported the user certificate to the F5. In the client SSL-Profile I've set the initial check to "ignore" and the "Client Authentication -> Trusted CA" to the imported certificate (CA?).

A test with user test1 works properly - I get the Browser pop-up, I choose the certificate and the authentication works.

So, let's come to my problem: If I login with user test2, do the AD-auth, and then choose the same certificate that was issued for user test1 - I also succeed - but I shouldn't!

I assume that the problem is, that the ODCA checks only if the certificate is valid.

How can I achieve that the certificate is only valid for user test1?

Am I using the wrong box in VPE?

Or do I need to check with an expression, if the username of AD-auth is the same as the username in the user-certificate?

How could this expression look like?

Or am I totally misunderstanding this certificate thing? :)

Thanks in advance!

application delivery

BIG-IP Access Policy Manager (APM)

Forum Discussion

2-Factor with certificate -> user check

Recent Discussions

In Radius auth, how to allow second attempt of token input when the first input is incorrect?

Need Urgent BIGIP Trial License and VM Image

APM for banner and cert

How to Renew F5 Device Certificate

UCS backup not loading Big IP DNS pool

Related Content

Automating ACMEv2 Certificate Management on BIG-IP

SecureAuth 2-Factor STS iApp

Help F5 Transform the BIG-IP Administrator Certification

Re: Management Certificate

Automate Let's Encrypt Certificates on BIG-IP

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS