Forum Discussion

John_Antony_162's avatar
John_Antony_162
Icon for Nimbostratus rankNimbostratus
Jun 27, 2014

Certificate Authentication on IPAD

Hi, We have a HTTPS webiste which we would like to securely expose using BIG-IP using certificate authentication. Both laptops with Windows and IPAD are allowed [no Android]. Each and evey laptop in our company already has corporate issued user certificates. Each and every company provided IPADs are managed by Airwatch. We have allowed Airwatch to issue certificate on behalf of the company and Airwatch is an intermediate CA for us [in short, both laptop and IPAds have our company issued certificates]

 

We have configured LTM and APM rules to check for certificate.

 

Results: On a corporate laptop, it always works fine and we can see LTM+APM logs for successful cert authentication. On IPAD, it will never work and it states that I need a valid certificate.

 

Now you must doubt that something wrong with the IPAD airwacth issued cert. But it is not. It is a valid certificate because if I change the backend server port from HTTPS to HTTP [and still expose the outside virtual server on HTTPS], the certificate check works fine on IPAD. If I puit it back on HTTPS for LTM to the backend web server, IPAD does not work.

 

[In short] Backend Web server on HTTPS:

 

LAPTOP->Internet -> HTTPS [LTM + APM CERT CHECK] -> HTTPS -> Web server =====> Works fine IPAD->Internet -> HTTPS [LTM + APM CERT CHECK] -> HTTPS -> Web server =====> NOT WORKING

 

Backend Web server on HTTP:

 

LAPTOP->Internet -> HTTPS [LTM + APM CERT CHECK] -> HTTP -> Web server =====> Works fine IPAD->Internet -> HTTPS [LTM + APM CERT CHECK] -> HTTP -> Web server =====> Works fine

 

I have opened a TAC case and still no answer from F5. Any idea will be much appriciated.

 

application delivery
BIG-IP Access Policy Manager (APM)
deployment
LTM
security

29 Replies

Show More
  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Dec 06, 2017

    It's failing at ODCA. I'm not convinced I have everything set right from the SSL point of view.

     

    Okay, so let's then clarify how it's failing ODCA.

     

    • Do you get prompted for a client certificate on the iPad?
    • If yes, does the client SSL profile contain a Trusted Certificate Authorities CA bundle that can validate the certificate sent by the iPad?

    • If yes, can you perform an SSLDUMP on the F5 to see where the handshake is failing?

       

      ssldump -AdNn -i [client VLAN] port 443 [and any additional filters]

       

  • ryanhjohnson_28's avatar
    ryanhjohnson_28
    Icon for Nimbostratus rankNimbostratus
    Dec 06, 2017

    No, I'm not getting prompted for a cert. It's just failing to log-in on the iPad. When I look at the logs, it's following the ODCA fallback route. I have the ODCA set to request also.

     

    So, I have the MDM profile on the iPad that is pushed down by JAMF Pro. I also took the root cert from JAMF Pro and added that cert to the APM.

     

    I suspect I have something configured wrong but I'm struggling to identify what.

     

    Thanks for your assistance.

     

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Dec 06, 2017

    Do you have the corresponding private key that matches the client cert?

     

    In the SSLDUMP, do you see where the server asks for the client cert, or does it fail before that? If you do see the server's Certificate message, what happens after that?

     

    You said that it works when you don't do ODCA in the VPE, so sounds like basic SSL is working. It could be that the cert and key are just in the wrong place on the iPad, and/or the user agent (Safari?) can't access them.

     

  • ryanhjohnson_28's avatar
    ryanhjohnson_28
    Icon for Nimbostratus rankNimbostratus
    Dec 07, 2017

    I didn't import a key with the JAMF cert onto the APM if that's what you mean.

     

    I haven't ran an SSL dump yet, what syntax should be used?

     

    I'm actually using the F5 Access app, should we be trying Safari instead?

     

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Dec 07, 2017

    I didn't import a key with the JAMF cert onto the APM if that's what you mean.

     

    The mobile device needs both a certificate and the corresponding private key. In the absence of the private key, the client simply wouldn't attempt to send the certificate.

     

    I haven't ran an SSL dump yet, what syntax should be used?

     

    ssldump -AdNd -i [client vlan] port 443 [and any additional tcpdump-style filters]

     

    I'm actually using the F5 Access app, should we be trying Safari instead?

     

    Wouldn't hurt to try.

     

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Dec 07, 2017

    Wait, your F5 client SSL profile would already have a private key, otherwise normal (non-authenticated) SSL wouldn't work. The mobile client (iPad) needs a private key to go with the client certificate. Without the private key, the iPad would not be able to send a certificate.

     

    Do you get to select a cert when you use Safari?