For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Robert_Decker_2's avatar
Robert_Decker_2
Icon for Nimbostratus rankNimbostratus
Feb 01, 2006

Authenticate customer using SSL client certificate or LDAP

I was wondering if anyone could show me how to perform multiple methods of authentication within an Irule. I would like to use ssl authentication against a client certificate as the first method, how...
application delivery
dev
devops
iRules
Robert_Decker_2's avatar
Robert_Decker_2
Icon for Nimbostratus rankNimbostratus
Mar 16, 2006
I looked at another post and have tried to write the Irule with the code listed below. I keep getting errors when the rule goes to the authentication. Can ssl ocsp and ldap be mixed into the same rule? Is there a way to write two rules and attach them to a virtual server? I would like to keep the format of the previous post; however I am searching for anything that would work as a starting point. Any help would be greatly appreciated!

 

 

Thank you,

 

Rob

 

 

 

when CLIENT_ACCEPTED {

 

set ldap_authed 0

 

set tmm_auth_ssl_ocsp_sid [AUTH::start pam default_ssl_ocsp]

 

}

 

 

when CLIENTSSL_CLIENTCERT {

 

AUTH::cert_credential $tmm_auth_ssl_ocsp_sid [SSL::cert 0]

 

AUTH::cert_issuer_credential $tmm_auth_ssl_ocsp_sid [SSL::cert issuer 0]

 

AUTH::authenticate $tmm_auth_ssl_ocsp_sid

 

SSL::handshake hold

 

set id [SSL::sessionid]

 

}

 

 

 

 

when HTTP_REQUEST {

 

set id [SSL::sessionid]

 

set sslstuff2 [session lookup ssl $id]

 

log local0. "sslstuff2 is: $sslstuff2"

 

 

if { $sslstuff2 contains "success" }{

 

log local0. "sslstuff2 successfull"

 

}

 

if { $sslstuff2 contains "redirect" }{

 

log local0. "sslstuff2 is redirecting"

 

HTTP::redirect "http://y.y.y.y"

 

}

 

 

if { $sslstuff2 eq ""} {

 

log local0. "sslstuff2 is empty"

 

set username [HTTP::username]

 

set password [HTTP::password]

 

set asid_ldap [AUTH::start pam default_ldap]

 

AUTH::username_credential $asid_ldap $username

 

AUTH::password_credential $asid_ldap $password

 

AUTH::authenticate $asid_ldap

 

HTTP::collect

 

}

 

}

 

 

 

 

 

 

when AUTH_SUCCESS {

 

if {$asid_ldap eq [AUTH::last_event_session_id]} {

 

set ldap_authed 1

 

}

 

 

if {$ldap_authed == 1} {

 

log local0. "entering auth success"

 

HTTP::release

 

}

 

if {$tmm_auth_ssl_ocsp_sid eq [AUTH::last_event_session_id]} {

 

SSL::handshake resume

 

set Z "success"

 

session add ssl $id $Z

 

}

 

}

 

 

when AUTH_FAILURE {

 

if {$asid_ldap eq [AUTH::last_event_session_id] } {

 

log local0. "entering auth failure"

 

HTTP::respond 302 Location "http://x.x.x.x"

 

}

 

if {$tmm_auth_ssl_ocsp_sid eq [AUTH::last_event_session_id]} {

 

SSL::handshake resume

 

set Z "redirect"

 

session add ssl $id $Z

 

}

 

}

 

 

when AUTH_WANTCREDENTIAL {

 

if {$asid_ldap eq [AUTH::last_event_session_id] } {

 

log local0. "entering auth want credential"

 

HTTP::respond 401

 

}

 

if {$tmm_auth_ssl_ocsp_sid eq [AUTH::last_event_session_id]} {

 

reject

 

}

 

}

 

 

when AUTH_ERROR {

 

if {$asid_ldap eq [AUTH::last_event_session_id] } {

 

log local0. "entering auth error"

 

HTTP::respond 401

 

}

 

if {$tmm_auth_ssl_ocsp_sid eq [AUTH::last_event_session_id]} {

 

SSL::handshake resume

 

set Z "redirect"

 

session add ssl $id $Z

 

}

 

}