Authenticate customer using SSL client certificate or LDAP

Could anyone suggest how to add ssl ocsp into this rule? I would only like to check those clients with a cert status of "ok". I am under the impression that the all ssl clients will connect to the Big IP and verify their cert status against root certs located on the Big IP (like CA bundle). The Big IP will then connect to an ocsp server to verify if the cert has been revoked (Please let me know if this is incorrect). I am afraid that I will kill all ldap clients by attaching the sys auth ssl ocsp rule after the rule I have posted.

 

 

Thank you for your help!

 

Rob

 

I looked at another post and have tried to write the Irule with the code listed below. I keep getting errors when the rule goes to the authentication. Can ssl ocsp and ldap be mixed into the same rule? Is there a way to write two rules and attach them to a virtual server? I would like to keep the format of the previous post; however I am searching for anything that would work as a starting point. Any help would be greatly appreciated!

 

 

Thank you,

 

Rob

 

 

 

when CLIENT_ACCEPTED {

 

set ldap_authed 0

 

set tmm_auth_ssl_ocsp_sid [AUTH::start pam default_ssl_ocsp]

 

}

 

 

when CLIENTSSL_CLIENTCERT {

 

AUTH::cert_credential $tmm_auth_ssl_ocsp_sid [SSL::cert 0]

 

AUTH::cert_issuer_credential $tmm_auth_ssl_ocsp_sid [SSL::cert issuer 0]

 

AUTH::authenticate $tmm_auth_ssl_ocsp_sid

 

SSL::handshake hold

 

set id [SSL::sessionid]

 

}

 

 

 

 

when HTTP_REQUEST {

 

set id [SSL::sessionid]

 

set sslstuff2 [session lookup ssl $id]

 

log local0. "sslstuff2 is: $sslstuff2"

 

 

if { $sslstuff2 contains "success" }{

 

log local0. "sslstuff2 successfull"

 

}

 

if { $sslstuff2 contains "redirect" }{

 

log local0. "sslstuff2 is redirecting"

 

HTTP::redirect "http://y.y.y.y"

 

}

 

 

if { $sslstuff2 eq ""} {

 

log local0. "sslstuff2 is empty"

 

set username [HTTP::username]

 

set password [HTTP::password]

 

set asid_ldap [AUTH::start pam default_ldap]

 

AUTH::username_credential $asid_ldap $username

 

AUTH::password_credential $asid_ldap $password

 

AUTH::authenticate $asid_ldap

 

HTTP::collect

 

}

 

}

 

 

 

 

 

 

when AUTH_SUCCESS {

 

if {$asid_ldap eq [AUTH::last_event_session_id]} {

 

set ldap_authed 1

 

}

 

 

if {$ldap_authed == 1} {

 

log local0. "entering auth success"

 

HTTP::release

 

}

 

if {$tmm_auth_ssl_ocsp_sid eq [AUTH::last_event_session_id]} {

 

SSL::handshake resume

 

set Z "success"

 

session add ssl $id $Z

 

}

 

}

 

 

when AUTH_FAILURE {

 

if {$asid_ldap eq [AUTH::last_event_session_id] } {

 

log local0. "entering auth failure"

 

HTTP::respond 302 Location "http://x.x.x.x"

 

}

 

if {$tmm_auth_ssl_ocsp_sid eq [AUTH::last_event_session_id]} {

 

SSL::handshake resume

 

set Z "redirect"

 

session add ssl $id $Z

 

}

 

}

 

 

when AUTH_WANTCREDENTIAL {

 

if {$asid_ldap eq [AUTH::last_event_session_id] } {

 

log local0. "entering auth want credential"

 

HTTP::respond 401

 

}

 

if {$tmm_auth_ssl_ocsp_sid eq [AUTH::last_event_session_id]} {

 

reject

 

}

 

}

 

 

when AUTH_ERROR {

 

if {$asid_ldap eq [AUTH::last_event_session_id] } {

 

log local0. "entering auth error"

 

HTTP::respond 401

 

}

 

if {$tmm_auth_ssl_ocsp_sid eq [AUTH::last_event_session_id]} {

 

SSL::handshake resume

 

set Z "redirect"

 

session add ssl $id $Z

 

}

 

}

Rob, in all of your SSL research, did you ever discover how to setup an iRule based on SSL domain? I have a wildcard certificate installed so that both login.mycompany.com & secure.mycompany.com resolve to the same IP. Now all i want to do is set:

 

* https://login.myswaptree.com to PoolA

 

* https://secure.myswaptree.com to PoolB

 

 

I can get it to work for HTTP requests but not HTTPS. Any help would great be appreciated!!

I was able to figure out what my problem was this morning. I had an iRule setup on my http virtual server but NOT on my https virtual server. Simple mistake on my part. I added the same rule to both and things worked!