Forum Discussion
NimbostratusClient Certificate Based Authentication with Websense
Is there a way for F5 to authenticate users based on client side certificates and pass a certificate value such as CN= Username or CN= email address to a websense appliance for user authentication and policy?
10 Replies
Arnaud_LemaireEmployee
Could you elaborate a little bit more on your use case and targeted architecture ? which module on big-ip are we talking about ?
thanks.
Inf0s3cguru_117On the client Laptop there is a client Cert used to authenticate the user to various network resources such as websites and applications. If I am using LTM to load balance a Websense Security Gateway (WSG) as a transparent web Proxy can F5 extract either the email address or the username from their client side certificate and then pass it on the WSG?
This is needed by websense to match the user to a user-based policy.
- Kevin_Stewart
The answer is definitively yes, but the details depend on how WebSense expects to receive this information. With a standard VIP, client SSL profile, and an iRule, you can use LTM to first request, then validate a client certificate, and then send the X509 data to the back end server. In the absence of a more robust single sign-on mechanism though, capabilities that APM provides, you're mostly limited to sending the data in the layer 7 stream (ex. HTTP headers). I wouldn't discount this method however. Given that the F5 is a "trusted proxy" between users and servers, that the communication from client to F5 and (optionally) F5 to server is also SSL, and that not one single client side packet reaches the server until the F5 has properly validated the client's certificate, it's usually a reasonably simple modification to a server application to consume HTTP headers in place of more traditional inputs.
- Inf0s3cguru_117
What would the iRule look like?
- Kevin_Stewart
A very simple implementation might look like this:
when HTTP_REQUEST { HTTP::header replace CERTSUBJECT [X509::subject [SSL::cert 0]] }Additional attributes can be obtained using the various X509:: commands.
- Inf0s3cguru_117
Very cool, thank you so much. . . how would it look if I wanted to extract the email address field from the client certificate and forward it to the WSG VIP as an x-header?
- Kevin_Stewart
Another good question. Is the email address in your client certs in the DN, or an rfc822Name SAN extension?
Yann_DesmarestCirrus
Hi,
To make it works, you have to consider your F5 as a Forward Proxy. You should configure your access profile with "user identification method" set to "ip address". it works fine in 11.5.1
You also have to inject X-User-Authenticated and X-Forwarded-For Header and then forward traffic to WCG.
On the WCG, you should enable "Read authentication from child proxy" option.
- Inf0s3cguru_117
The CN= userid
- Kevin_Stewart
Given a straight LTM iRules configuration, the following iRule should be able to extract the email address from the SAN rfc822Name property:
when HTTP_REQUEST { if { [SSL::cert count] > 0 } { set email [findstr [X509::extensions [SSL::cert 0]] "email: " 7 " "] } }
