Forum Discussion
CirrostratusCertificate based authentication based on Client Certificates
Hi,
We have a requirement wherein client laptops would be having a certificate (Client authentication certificate) which should be checked when Clients tries to communicate with the server and this is working. Now, we are going to publish this URL over the internet and we want the same clients to be authenticated on F5 (We have APM license as well). Just wanted to know, how to proceed and what would be required to get it done on F5. This would be the first time we would be doing this type of configuration.
Thanks in advance
5 Replies
amolariWith APM, you can
-
define a SSL client profile with setting Client Authentication / Client Certificate = Ignore, but configure the rest (Trusted/advertised cert authorities...)
-
in the Access Policy VPE, add an "On-Demand Cert Auth" Authentication action
Alex
-
- amolari
The certificate must of usage "Client Authentication", such as standard User certificates. If you have such certificate from Symantec it's fine. User certificates from your internal PKI -> OK.
Client Authentication / Client Certificate = Ignore is configured so, if you want the client-auth being performed at the APM-level (with "On-demand certificate check"). That has the advantage of: - be able to configure a fallback (other authentication method for example) - display the logon_deny page if user doesn't have the certificate
Basically, if you check the certificate the the LTM level (Client Authentication / Client Certificate = require for ex), the user without a certificate will get a TCP-reset.
Alex
- amolari
The certificate must of usage "Client Authentication", such as standard User certificates. If you have such certificate from Symantec it's fine. User certificates from your internal PKI -> OK.
Client Authentication / Client Certificate = Ignore is configured so, if you want the client-auth being performed at the APM-level (with "On-demand certificate check"). That has the advantage of: - be able to configure a fallback (other authentication method for example) - display the logon_deny page if user doesn't have the certificate
Basically, if you check the certificate the the LTM level (Client Authentication / Client Certificate = require for ex), the user without a certificate will get a TCP-reset.
Alex
- amolari
The certificate must of usage "Client Authentication", such as standard User certificates. If you have such certificate from Symantec it's fine. User certificates from your internal PKI -> OK.
Client Authentication / Client Certificate = Ignore is configured so, if you want the client-auth being performed at the APM-level (with "On-demand certificate check"). That has the advantage of: - be able to configure a fallback (other authentication method for example) - display the logon_deny page if user doesn't have the certificate
Basically, if you check the certificate the the LTM level (Client Authentication / Client Certificate = require for ex), the user without a certificate will get a TCP-reset.
Alex
- amolari
The certificate must of usage "Client Authentication", such as standard User certificates. If you have such certificate from Symantec it's fine. User certificates from your internal PKI -> OK.
Client Authentication / Client Certificate = Ignore is configured so, if you want the client-auth being performed at the APM-level (with "On-demand certificate check"). That has the advantage of: - be able to configure a fallback (other authentication method for example) - display the logon_deny page if user doesn't have the certificate
Basically, if you check the certificate the the LTM level (Client Authentication / Client Certificate = require for ex), the user without a certificate will get a TCP-reset.
Alex
