For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

sathish_126179's avatar
sathish_126179
Icon for Nimbostratus rankNimbostratus
Nov 12, 2013

certificate based authentication using LTM

I would like to know if certificate based authentication can be implemented using F5 LTM. Our Messaging team has implemented certificate based authentication in their CAS server and Big-IP LTM is bei...
Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Nov 16, 2013

With the understanding that you cannot do certificate-based authentication to a server if a device in front of it terminates (and optionally re-encrypts) the SSL between the client and server, you have basically two options:

 

  1. Let the proxy do the SSL offload and certificate consumption, and find another way to authenticate at the server. This is something that APM does particularly well, especially for Exchange and SharePoint. You may not have it in your architecture now, but it's definitely worth a look. The added benefit of an "authentication proxy" is that you can "pre-authenticate" users. You can do SSL offload, certificate revocation, and any other auth/security validations BEFORE a single packet ever touches the CAS server.

     

  2. Simply don't offload SSL. If you remove the client and server SSL profiles from the VIP, the SSL will pass straight through from the client to the server. Of course doing this you lose all insight into the traffic and any significant ability to act on that traffic. You could also use the ProxySSL feature. Basically, you check the ProxySSL option and apply the backend server's PRIVATE key to a set of client and server SSL profiles, and then apply both to the VIP. The private key in the profiles allows the VIP to transparently negotiate the same session encryption key that the client and server will use, allowing it the ability to silently decrypt and re-encrypt the SSL without either party being the wiser. There are implications to this option though. You must allow the client and server to negotiate an end-to-end connection, so you can't have any preemptive processes inline, or any iRules that may switch server pool members based on some criteria. There is also a limitation, currently, with ProxySSL and the ciphers that it can support, so some clients and/or servers may have a problem using it. Otherwise, you can in fact do client certificate auth to CAS with ProxySSL. You'll want to get up to 11.3 HF5 at the least, as this version makes some significant improvements to ProxySSL.