Forum Discussion
The-messenger_1
Nimbostratus
NimbostratusActiveSync Client Cert Auth - no password prompt
I've seen a few threads, tagged on to some of them, but still no real solid answers. I would like to know the recommended / best config to implement client certificate authentication for ActiveSync....
Configure 2nd iApp for EAS, keep iRules, attached 'exchange' profile. The APM docs on AskF5 outline on-demand cert auth: https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-authentication-single-sign-on-12-0-0/17.htmlconceptid. The proper APM profile should handle clientless mode.
Configure 2nd iApp for EAS, keep iRules, attached 'exchange' profile. The APM docs on AskF5 outline on-demand cert auth: https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-authentication-single-sign-on-12-0-0/17.htmlconceptid. The proper APM profile should handle clientless mode.
- The-messenger
Cirrostratus
Thanks Fred!
I have done as you suggest. Configured second iapp with ActiveSync specific selections. Configured ClientSSL profile adding the client authentication information. prior to this I configured our AD Certificate Authority In the Access profile, I have added a client cert inspection branch before the logon page.
Airwatch sends the cert/payload, APM checks for a valid cert, sends on the next step in the policy. iOS and Android devices are checking successfully.
Works great!
- The-messenger
Thanks for the help on this Fred. Going back to this thread, I am good with verifying the cert issued by our CA, I can require it as 1 authentication method. But I have not been able to use it as my only authentication method, there are pieces missing.
I've seen an ask f5 guide for this with older versions, but nothing for 12.1.1 or beyond. Have you seen a doc, or can you help, with the pieces required for client cert auth, no password?
