Forum Discussion
NimbostratusCertificate Authentication on IPAD
Hi, We have a HTTPS webiste which we would like to securely expose using BIG-IP using certificate authentication. Both laptops with Windows and IPAD are allowed [no Android]. Each and evey laptop in our company already has corporate issued user certificates. Each and every company provided IPADs are managed by Airwatch. We have allowed Airwatch to issue certificate on behalf of the company and Airwatch is an intermediate CA for us [in short, both laptop and IPAds have our company issued certificates]
We have configured LTM and APM rules to check for certificate.
Results: On a corporate laptop, it always works fine and we can see LTM+APM logs for successful cert authentication. On IPAD, it will never work and it states that I need a valid certificate.
Now you must doubt that something wrong with the IPAD airwacth issued cert. But it is not. It is a valid certificate because if I change the backend server port from HTTPS to HTTP [and still expose the outside virtual server on HTTPS], the certificate check works fine on IPAD. If I puit it back on HTTPS for LTM to the backend web server, IPAD does not work.
[In short] Backend Web server on HTTPS:
LAPTOP->Internet -> HTTPS [LTM + APM CERT CHECK] -> HTTPS -> Web server =====> Works fine IPAD->Internet -> HTTPS [LTM + APM CERT CHECK] -> HTTPS -> Web server =====> NOT WORKING
Backend Web server on HTTP:
LAPTOP->Internet -> HTTPS [LTM + APM CERT CHECK] -> HTTP -> Web server =====> Works fine IPAD->Internet -> HTTPS [LTM + APM CERT CHECK] -> HTTP -> Web server =====> Works fine
I have opened a TAC case and still no answer from F5. Any idea will be much appriciated.
29 Replies
John_Antony_162I just configured the SSL client profile to ignore cert and only kept the APM VPE cert check. I got "access denied" page on my IPAD. logs below
2014-06-27 12:51:58 Received User-Agent header: Mozilla%2f5.0%20(iPad%3b%20CPU%20OS%207_1_1%20like%20Mac%20OS%20X)%20AppleWebKit%2f537.51.2%20(KHTML%2c%20like%20Gecko)%20Version%2f7.0%20Mobile%2f11D201%20Safari%2f9537.53. 2014-06-27 12:51:58 Received client info - Type: Safari Version: 1 Platform: iOS CPU: unknown UI Mode: Mobile Smart Phone Javascript Support: 1 ActiveX Support: 0 Plugin Support: 0 2014-06-27 12:51:58 New session from client IP 208.185.x.x (ST=New Jersey/CC=US/C=NA) at VIP 10.16.20.50 Listener /Common/xxxx_KABOxxx (Reputation=Unknown) 2014-06-27 12:51:58 Following rule 'fallback' from item 'Client Cert Inspection' to ending 'Deny' 2014-06-27 12:51:58 Access policy result: Logon_Deny 2014-06-27 12:51:59 \N: Session deleted due to user logout request.
- Kevin_Stewart
Employee
Remove the Client Cert Inspection agent and try again.
- John_Antony_162
If I remove cleint side SSL, it does not load the page
- Kevin_Stewart
That's not what I'm saying. Your LTM VIP needs the client SSL profile (set to ignore) and the APM access policy. The access policy needs, basically:
Start -> On-Demand Cert Auth Agent -> AllowYou can add things after the ODCA, but the above is a minimal configuration. Do not use the Client Cert Inspection agent in the VPE.
If that doesn't work, remove the ODCA and set client SSL to request/require instead. Again, do not use the Client Cert Inspection agent. The client certificate values will still be available to the access session.
- John_Antony_162
wow..you nailed it man. ODCA did the trick. I can access from IPAD with cert check without any issues. Your beat TAC's 3-4 weeks work in an hr. Thanks a lot.
Now if I try to access from a laptop/IPAd without corporate cert, I get SSL connection error generic page without stating that cert missing. Is there a way to show the regular error page?
- Kevin_Stewart
Set the ODCA to request and you should follow the fallback branch of the ODCA if the client doesn't present a cert.
- John_Antony_162
Yep. I changed the OCDA to request [it was require before] and fall back to Deny. Now I can see F5 error page loading properly.
Thanks a lot for your wonderful help. I am new to DEV central. IS there a way that I can provide credits to your answers?
- John_Antony_162
Just to confirm, why was it not working with "'Client Cert Inspection'? Is this specific for Windows?
- Kevin_Stewart
why was it not working with "'Client Cert Inspection'? Is this specific for Windows?
Interesting question, and truthfully I don't really know. I do know that the Client Cert Inspection agent is largely redundant based on the existing functionality present in the client SSL profile.
ryanhjohnson_28I'm trying to do the same thing....allow iPads on our APM. But I want to control who is allowed to connect. Only corporate assets. We manage our iPads using JAMF Pro. I've tried following the info above with no such luck.
I have ODCA within the VPE and set to request, if successful, I move on to SAML authentication, otherwise it fails. And it's failing. I call myself setting the client SSL cert to ignore.
Please advise.
- Kevin_Stewart
Do you know where it's failing? Is it failing at the client cert auth, or at the SAML auth?
- ryanhjohnson_28
It's failing at ODCA. I'm not convinced I have everything set right from the SSL point of view.
- ryanhjohnson_28
I have it working if I don't include any cert macros in the VPE. But I want/need top control what iOS devices connect.
