For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Robert_Decker_2's avatar
Robert_Decker_2
Icon for Nimbostratus rankNimbostratus
Feb 01, 2006

Authenticate customer using SSL client certificate or LDAP

I was wondering if anyone could show me how to perform multiple methods of authentication within an Irule. I would like to use ssl authentication against a client certificate as the first method, how...
application delivery
dev
devops
iRules
Robert_Decker_2's avatar
Robert_Decker_2
Icon for Nimbostratus rankNimbostratus
Mar 09, 2006
Thank you for all the help! I've made some changes and they seem to be working. The Irule will begin by prompting for a client cert. It will complete the request if the cert is valid or redirect to another website if not. You can cancel out of the client cert portion and be prompted for a username and password. The connection will complete if you have valid credentials or redirect to yet another website if you fail. Could someone look this over to see if I am making any rookie mistakes(I am a programming newbie). Thank you in advance.

 

 

 

 

when CLIENT_ACCEPTED {

 

set tmm_auth_http_collect_count 0

 

array set tmm_auth_http_sids {ldap -1}

 

}

 

 

when CLIENTSSL_CLIENTCERT {

 

set ssl_cert [SSL::cert 0]

 

set ssl_errstr [X509::verify_cert_error_string [SSL::verify_result]]

 

set ssl_stuff [list $ssl_cert $ssl_errstr]

 

session add ssl [SSL::sessionid] $ssl_stuff 180

 

}

 

 

when HTTP_REQUEST {

 

set ssl_stuff2 [session lookup ssl [SSL::sessionid]]

 

set ssl_cert2 [lindex $ssl_stuff2 0]

 

set ssl_errstr2 [lindex $ssl_stuff2 1]

 

if { $ssl_stuff2 != ""} {

 

if { $ssl_errstr2 eq "ok"} {

 

HTTP::header insert SSLClientCertStatus $ssl_errstr2

 

HTTP::header insert SSLClientCertValidFrom [X509::not_valid_before $ssl_cert2]

 

HTTP::header insert SSLClientCertValidUtil [X509::not_valid_after $ssl_cert2]

 

HTTP::header insert SSLClientCertSubject [X509::subject $ssl_cert2]

 

HTTP::header insert SSLClientCertIssuer [X509::issuer $ssl_cert2]

 

}

 

if { $ssl_errstr2 != "ok"} {

 

HTTP::redirect "http://x.x.x.x"

 

}

 

}

 

 

if { $ssl_stuff2 eq ""} {

 

set tmm_auth_sid $tmm_auth_http_sids(ldap)

 

if {$tmm_auth_sid == -1} {

 

set tmm_auth_sid [AUTH::start pam default_ldap]

 

array set tmm_auth_http_sids [list ldap $tmm_auth_sid]

 

}

 

AUTH::username_credential $tmm_auth_sid [HTTP::username]

 

AUTH::password_credential $tmm_auth_sid [HTTP::password]

 

AUTH::authenticate $tmm_auth_sid

 

if {$tmm_auth_http_collect_count == 0} {

 

HTTP::collect

 

set tmm_auth_http_successes 0

 

}

 

incr tmm_auth_http_collect_count

 

}

 

}

 

when AUTH_SUCCESS {

 

if {$tmm_auth_http_sids(ldap) eq [AUTH::last_event_session_id]} {

 

incr tmm_auth_http_successes

 

if {[info exists tmm_auth_http_sufficient_successes]} {

 

if {$tmm_auth_http_successes >=

 

$tmm_auth_http_sufficient_successes} {

 

foreach {type sid} [array get tmm_auth_http_sids] {

 

if {$type ne "ldap" && $sid ne -1} {

 

AUTH::abort $sid

 

array set tmm_auth_http_sids [list $type -1]

 

}

 

}

 

set tmm_auth_http_collect_count 0

 

HTTP::release

 

} else {

 

incr tmm_auth_http_collect_count -1

 

if {$tmm_auth_http_collect_count == 0} {

 

HTTP::respond 401

 

}

 

}

 

} else {

 

incr tmm_auth_http_collect_count -1

 

if {$tmm_auth_http_collect_count == 0} {

 

HTTP::release

 

}

 

}

 

}

 

}

 

when AUTH_FAILURE {

 

if {$tmm_auth_http_sids(ldap) eq [AUTH::last_event_session_id]} {

 

if {[llength [array names tmm_auth_http_sids]] > 1} {

 

if {[info exists tmm_auth_http_sufficient_successes]} {

 

incr tmm_auth_http_collect_count -1

 

if {$tmm_auth_http_collect_count == 0} {

 

HTTP::respond 401

 

}

 

} else {

 

foreach {type sid} [array get tmm_auth_http_sids] {

 

if {$type ne "ldap" && $sid ne -1} {

 

AUTH::abort $sid

 

array set tmm_auth_http_sids [list $type -1]

 

}

 

}

 

set tmm_auth_http_collect_count 0

 

HTTP::respond 401

 

}

 

} else {

 

set tmm_auth_http_collect_count 0

 

HTTP::respond 302 Location "http://y.y.y.y"

 

}

 

}

 

}

 

when AUTH_WANTCREDENTIAL {

 

if {$tmm_auth_http_sids(ldap) eq [AUTH::last_event_session_id]} {

 

if {[llength [array names tmm_auth_http_sids]] > 1} {

 

if {[info exists tmm_auth_http_sufficient_successes]} {

 

incr tmm_auth_http_collect_count -1

 

if {$tmm_auth_http_collect_count == 0} {

 

HTTP::respond 401

 

}

 

} else {

 

foreach {type sid} [array get tmm_auth_http_sids] {

 

if {$type ne "ldap" && $sid ne -1} {

 

AUTH::abort $sid

 

array set tmm_auth_http_sids [list $type -1]

 

}

 

}

 

set tmm_auth_http_collect_count 0

 

HTTP::respond 401

 

}

 

} else {

 

set tmm_auth_http_collect_count 0

 

HTTP::respond 401

 

}

 

}

 

}

 

when AUTH_ERROR {

 

if {$tmm_auth_http_sids(ldap) eq [AUTH::last_event_session_id]} {

 

if {[llength [array names tmm_auth_http_sids]] > 1} {

 

if {[info exists tmm_auth_http_sufficient_successes]} {

 

incr tmm_auth_http_collect_count -1

 

if {$tmm_auth_http_collect_count == 0} {

 

HTTP::respond 401

 

}

 

} else {

 

foreach {type sid} [array get tmm_auth_http_sids] {

 

if {$type ne "ldap" && $sid ne -1} {

 

AUTH::abort $sid

 

array set tmm_auth_http_sids [list $type -1]

 

}

 

}

 

set tmm_auth_http_collect_count 0

 

HTTP::respond 401

 

}

 

} else {

 

set tmm_auth_http_collect_count 0

 

HTTP::respond 401

 

}

 

}

 

}

 

 

Thank you again,

 

Rob