Forum Discussion
jjm1971
Altocumulus
AltocumulusAPM Machine Tunnel - Machine Cert Auth Check Failing
I have an APM policy configured, with the initial check being 'client type' for a machine tunnel or edge client. After that there is a Machine cert auth check for both edge client and machine tunnel ...
Russell_Moore
Employee
EmployeeIt really isn't clear in the documentation, but Machine Certificate Authentication (MCA) isn't compatible with Machine Tunnels. To authenticate client certificates with Machine Tunnels, you would use On-Demand Certificate Authentication (ODCA) instead of MCA.
ODCA requires that you conifgure a CA on the F5 that can validate the client certificate. This CA would be configured in a ClientSSL profile for the VIP and set as the CA and Advertised CA. The profile would b set to "ignore" client certificate validation. Within the APM policy you define "ODCA" for authentication of the Machine Tunnel client type.
Russell