Forum Discussion
NimbostratusCertificate Authentication on IPAD
NimbostratusThe only thing you're doing here is adding or removing client cert checking, correct? Ans: Yes. You are correct.
Are you doing this in the VPE or client SSL profile?
Ans: Cert check is on VPE and also on client SSL profile.
Are you using standard client and server SSL profiles? ProxySSL? SNI?
ANS: We need to check the cleint side cert. So we created a new SSL bundle that "request" client authentication and look for our CA as the cert issuer. For backend webserver , we use the default serverssl profile.
Can you also set APM to debug logging mode and provide the log entries for when it fails?
ANS: here is the output. I forgot to mention that we perform LDAP query to check the username againts an AD group membership. Below logs are unsuccessful attempt. However, APM was able to extract the username from my certificate as "johnpaul.Antony". So it sees the certificate and still does not allow me.
2014-06-27 12:38:23 Received User-Agent header: Mozilla%2f5.0%20(iPad%3b%20CPU%20OS%207_1_1%20like%20Mac%20OS%20X)%20AppleWebKit%2f537.51.2%20(KHTML%2c%20like%20Gecko)%20Version%2f7.0%20Mobile%2f11D201%20Safari%2f9537.53. 2014-06-27 12:38:23 Received client info - Type: Safari Version: 1 Platform: iOS CPU: unknown UI Mode: Mobile Smart Phone Javascript Support: 1 ActiveX Support: 0 Plugin Support: 0 2014-06-27 12:38:23 New session from client IP 208.185.x.x (ST=New Jersey/CC=US/C=NA) at VIP 10.16.20.50 Listener /Common/xxxxx_KABOIxxx (Reputation=Unknown) 2014-06-27 12:38:23 Username 'JohnPaul.Antony' 2014-06-27 12:38:23 Following rule 'User Group Membership' from item 'LDAP Query' to ending 'Allow' 2014-06-27 12:38:23 Access policy result: LTM+APM_Mode
