For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Robert_Decker_2's avatar
Robert_Decker_2
Icon for Nimbostratus rankNimbostratus
Feb 01, 2006

Authenticate customer using SSL client certificate or LDAP

I was wondering if anyone could show me how to perform multiple methods of authentication within an Irule. I would like to use ssl authentication against a client certificate as the first method, how...
application delivery
dev
devops
iRules
Robert_Decker_2's avatar
Robert_Decker_2
Icon for Nimbostratus rankNimbostratus
Feb 24, 2006
Thank you for the help Joe and Colin. I really appreciate your patience. I have tried to combine rules using Joe's suggestion. I tried to combine the existing sys_auth_ldap rule with an ssl client cert rule from previous posts. Below is my Irule:

 

 

 

when CLIENT_ACCEPTED {

 

set tmm_auth_http_collect_count 0

 

array set tmm_auth_http_sids {ldap -1}

 

}

 

 

when CLIENTSSL_CLIENTCERT {

 

set $has_client_cert 1

 

}

 

 

 

when CLIENTSSL_HANDSHAKE {

 

set cur [SSL::sessionid]

 

set ask [session lookup ssl $cur]

 

if { $ask eq "" } { session add ssl [SSL::sessionid] [SSL::cert 0] }

 

}

 

 

 

when HTTP_REQUEST {

 

if { [info exists has_client_cert] } {

 

set id [SSL::sessionid]

 

set the_cert [session lookup ssl $id]

 

if { $the_cert != ""} {

 

HTTP::header insert SSLClientCertSubject [X509::subject $the_cert]

 

HTTP::header insert SSLClientCertIssuer [X509::issuer $the_cert]

 

HTTP::header insert SSLClientCertValidFrom [X509::not_valid_before $the_cert]

 

HTTP::header insert SSLClientCertValidUntil [X509::not_valid_after $the_cert]

 

HTTP::header insert SSLClientCert [b64encode $the_cert]

 

}

 

}

 

if { ! [info exists has_client_cert] } {

 

 

set tmm_auth_sid $tmm_auth_http_sids(ldap)

 

if {$tmm_auth_sid == -1} {

 

set tmm_auth_sid [AUTH::start pam default_ldap]

 

array set tmm_auth_http_sids [list ldap $tmm_auth_sid]

 

}

 

AUTH::username_credential $tmm_auth_sid [HTTP::username]

 

AUTH::password_credential $tmm_auth_sid [HTTP::password]

 

AUTH::authenticate $tmm_auth_sid

 

if {$tmm_auth_http_collect_count == 0} {

 

HTTP::collect

 

set tmm_auth_http_successes 0

 

}

 

incr tmm_auth_http_collect_count

 

}

 

}

 

when AUTH_SUCCESS {

 

if {$tmm_auth_http_sids(ldap) eq [AUTH::last_event_session_id]} {

 

incr tmm_auth_http_successes

 

if {[info exists tmm_auth_http_sufficient_successes]} {

 

if {$tmm_auth_http_successes >=

 

$tmm_auth_http_sufficient_successes} {

 

foreach {type sid} [array get tmm_auth_http_sids] {

 

if {$type ne "ldap" && $sid ne -1} {

 

AUTH::abort $sid

 

array set tmm_auth_http_sids [list $type -1]

 

}

 

}

 

set tmm_auth_http_collect_count 0

 

HTTP::release

 

} else {

 

incr tmm_auth_http_collect_count -1

 

if {$tmm_auth_http_collect_count == 0} {

 

HTTP::respond 401

 

}

 

}

 

} else {

 

incr tmm_auth_http_collect_count -1

 

if {$tmm_auth_http_collect_count == 0} {

 

HTTP::release

 

}

 

}

 

}

 

}

 

when AUTH_FAILURE {

 

if {$tmm_auth_http_sids(ldap) eq [AUTH::last_event_session_id]} {

 

if {[llength [array names tmm_auth_http_sids]] > 1} {

 

if {[info exists tmm_auth_http_sufficient_successes]} {

 

incr tmm_auth_http_collect_count -1

 

if {$tmm_auth_http_collect_count == 0} {

 

HTTP::respond 401

 

}

 

} else {

 

foreach {type sid} [array get tmm_auth_http_sids] {

 

if {$type ne "ldap" && $sid ne -1} {

 

AUTH::abort $sid

 

array set tmm_auth_http_sids [list $type -1]

 

}

 

}

 

set tmm_auth_http_collect_count 0

 

HTTP::respond 401

 

}

 

} else {

 

set tmm_auth_http_collect_count 0

 

HTTP::respond 401

 

}

 

}

 

}

 

when AUTH_WANTCREDENTIAL {

 

if {$tmm_auth_http_sids(ldap) eq [AUTH::last_event_session_id]} {

 

if {[llength [array names tmm_auth_http_sids]] > 1} {

 

if {[info exists tmm_auth_http_sufficient_successes]} {

 

incr tmm_auth_http_collect_count -1

 

if {$tmm_auth_http_collect_count == 0} {

 

HTTP::respond 401

 

}

 

} else {

 

foreach {type sid} [array get tmm_auth_http_sids] {

 

if {$type ne "ldap" && $sid ne -1} {

 

AUTH::abort $sid

 

array set tmm_auth_http_sids [list $type -1]

 

}

 

}

 

set tmm_auth_http_collect_count 0

 

HTTP::respond 401

 

}

 

} else {

 

set tmm_auth_http_collect_count 0

 

HTTP::respond 401

 

}

 

}

 

}

 

when AUTH_ERROR {

 

if {$tmm_auth_http_sids(ldap) eq [AUTH::last_event_session_id]} {

 

if {[llength [array names tmm_auth_http_sids]] > 1} {

 

if {[info exists tmm_auth_http_sufficient_successes]} {

 

incr tmm_auth_http_collect_count -1

 

if {$tmm_auth_http_collect_count == 0} {

 

HTTP::respond 401

 

}

 

} else {

 

foreach {type sid} [array get tmm_auth_http_sids] {

 

if {$type ne "ldap" && $sid ne -1} {

 

AUTH::abort $sid

 

array set tmm_auth_http_sids [list $type -1]

 

}

 

}

 

set tmm_auth_http_collect_count 0

 

HTTP::respond 401

 

}

 

} else {

 

set tmm_auth_http_collect_count 0

 

HTTP::respond 401

 

}

 

}

 

}

 

 

 

The Irule seems to work for the LDAP portion, however it doesn't seem like it can check the certificate. I check the local traffic log and see the following:

 

 

TCL error: Rule op CLIENTSSL_CLIENTCERT - cant read has_client_cert: no such variable while executing set $has_client_cert 1

 

 

Am I missing something when setting or naming variable? Any help would be greatly appreciated.

 

 

Thanks again,

 

Rob