F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Forum Discussion

Nuruddin_Ahmed_'s avatar
Nuruddin_Ahmed_
Icon for Cirrostratus rankCirrostratus
Apr 19, 2016

Certificate based authentication based on Client Certificates

Hi,   We have a requirement wherein client laptops would be having a certificate (Client authentication certificate) which should be checked when Clients tries to communicate with the server and t...
application delivery
BIG-IP
BIG-IP Access Policy Manager (APM)
amolari's avatar
amolari
Icon for Cirrostratus rankCirrostratus
Apr 21, 2016

The certificate must of usage "Client Authentication", such as standard User certificates. If you have such certificate from Symantec it's fine. User certificates from your internal PKI -> OK.

 

Client Authentication / Client Certificate = Ignore is configured so, if you want the client-auth being performed at the APM-level (with "On-demand certificate check"). That has the advantage of: - be able to configure a fallback (other authentication method for example) - display the logon_deny page if user doesn't have the certificate

 

Basically, if you check the certificate the the LTM level (Client Authentication / Client Certificate = require for ex), the user without a certificate will get a TCP-reset.

 

Alex