Forum Discussion
NimbostratusClient PC/device cert check
Everyone,
I have setup up full tunnel ssl vpn using LDAP/RSA for authentication and windows/fw check for pc. I am also looking to setup certificate check for PC or any mobile device. Idea would be to distribute internal ssl cert to laptops/mobile devices and have f5 check cert before allowing connection in addition to auth/windows and fw check. I need design guidance with PC/mobile CERT check.
here is current Process F5 edge client - URL - PC check - Authentication - Cert check - allow to resources.
Configuration side: Client ssl profile using External CA cert VS associated with - client ssl profile Network Access profile Access policy
11 Replies
- boneyard
MVP
what exactly is unclear?
have you read: http://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-config-11-4-0/apm_config_clientcert_auth.html
djoshi_103757So basically i want install cert on to user pc or mobile device and i want f5 to make sure that only pc or mobile device with that cert can start ssl tunnel. So F5 would go through pc check and would look for this cert in addition to other checks like av soft, process id and reg key. only after passing all this check it would allow ssl tunnel.
Thanks
- boneyard
that sounds like on demand certificate check, how to set it up can be found in the APM manual.
- Kevin_Stewart
Employee
That may actually sounds like a machine cert check:
http://support.f5.com/kb/en-us/solutions/public/13000/600/sol13614.html?sr=32401633
Good news is that you can do both machine and client cert checking in APM.
- djoshi_103757
Machine cert is only good for PC but not for mobile devices.
- Kevin_StewartCorrect, but you can use a "Client OS" check in the policy to prompt PCs for machine cert and do something else for mobile platforms.
- djoshi_103757
Same issue with mobile devices. i would like to check cert to allow access.
- Kevin_StewartAre you looking for something more that the reference Boneyard listed?
- djoshi_103757
I have gone through ref guide on demand cert and client cert ins. but guide doesn't provide any example.
There is ssl cert to encrypt data and 2nd cert to authenticate pc. but for i will start testing with machine cert for PC.
- djoshi_103757
I am testing machine cert check, I installed cert on laptop and rootca on f5.  machinecert result returns 2. is there way to debug this from f5?
- Kevin_Stewart
Have you customized the Windows certificate store? If not, you should probably stick with the default "MY" value. I would also enable debug logging for APM and watch /var/log/apm while testing.
