For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Nick_Matthews's avatar
Nick_Matthews
Icon for Cirrus rankCirrus
Feb 20, 2014

Check for Device UID/Serial number for access to website

Hi, I am hoping someone might be able to help with this question.

 

Currently I have a mobile device with a standard Android app (Not written by us) available for anyone to download that if used with the correct URL is able to access an internal server via F5 (SSL VS) --> Apache Reverse Proxy --> Internal Webserver

 

Due to changes in security, we are no longer allowed to allow unmanaged devices to access our internal network even when using a Reverse Proxy.

 

I have tried using Client Certificates with F5, but this doesn't work with this Mobile App (I expect you have to code the app to ask for a client cert).

 

Is there any way to check for the device UID/Serial or any specific details for the device and only let these devices through F5?

 

I am currently using V11.2 LTM without the APM module.

 

Any help would be greatly appreciated.

 

application delivery
devops
iRules

3 Replies

  • Nick_Matthews's avatar
    Nick_Matthews
    Icon for Cirrus rankCirrus
    Feb 20, 2014
    Could I use iRules instead to check for a client cert rather than using the SSL Profile to do this? Something like: get certificate data when CLIENTSSL_CLIENTCERT { set cert [SSL::cert 0] set sn [X509::serial_number $cert] set subject [X509::subject $cert] set issuer [X509::issuer $cert] set version [X509::version $cert] set clientIP [IP::client_addr] check Certificate common name to see if it contains the FQDN for Virtual server if { $subject contains "CN=FQDN" } { uncomment the line below to validate that the iRule is accepting a valid certificate log local0. "cert CN valid" } else { if the certificate is not valid log client IP and reject connection log $clientIP log local0. "cert CN not valid" reject } }
  • Nick_Matthews's avatar
    Nick_Matthews
    Icon for Cirrus rankCirrus
    Feb 20, 2014
    So I have got it roughly working if I use a browser, but the app still doesnt work, it reports the below error: TCL error: /Common/TMCertCheck - while executing "X509::subject $cert" The rule I am using is: get certificate data when CLIENTSSL_CLIENTCERT priority 1 { set cert [SSL::cert 0] set subject [X509::subject $cert] set issuer [X509::issuer $cert] set version [X509::version $cert] set clientIP [IP::client_addr] check Certificate common name to see if it contains the FQDN for Virtual server if { $subject contains "CN=MyEmailAddress" } { uncomment the line below to validate that the iRule is accepting a valid certificate log local0. "cert CN valid" } else { if the certificate is not valid log client IP and reject connection log $clientIP log local0. "cert CN not valid" reject } }
  • SriniM_188537's avatar
    SriniM_188537
    Icon for Nimbostratus rankNimbostratus
    Jan 30, 2018

    Hi Nick, Is your solution worked ? if yes can you please share the irule. We have the same requirement.

     

    Thanks