Forum Discussion

awan_m's avatar
awan_m
Icon for Cirrostratus rankCirrostratus
Oct 30, 2024

Datagroup with address and value

Hi - want to do a check on F5 
when ssl handshake - extract OU from certificate and validate it against client IP .
so i created a data group with address and value 

Question how would i match the pair of ip and ou as address and value

Thanks 

 


ltm data-group internal ip_allow {
    records {
        10.10.10.0/24 {
            data Prod
        }
        20.20.20.0/24 {
            data Staff
        }
    }
    type ip
}

application delivery
    • awan_m's avatar
      awan_m
      Icon for Cirrostratus rankCirrostratus
      Oct 30, 2024

      thanks for the reply - 

      i want to match both ip and OU 

      meaning - ip client IP and extracted ou match the address and value in the datagroup 

      records {
              10.10.10.0/24 {
                  data Prod
              }

      • zamroni777's avatar
        zamroni777
        Icon for Nacreous rankNacreous
        Nov 01, 2024

        you need to do in 2 steps:
        1. determine which address range that the client ip address belongs to (using the above IP:addr .....; loop the address ranges until matching one)
        2. check whether the ou matches the address range (using the data group)

    • awan_m's avatar
      awan_m
      Icon for Cirrostratus rankCirrostratus
      Oct 30, 2024

      its a key pair match 

      ip and OU need to match as they are locked to each other 

      10.10.10.0/24 IPs must have Prod - else drop 

      20.20.20.0/24 Must have Staff - else drop 

       

      • Paulius's avatar
        Paulius
        Icon for MVP rankMVP
        Oct 30, 2024

        awan_m I believe the following will work for you but I'm not 100% positive because I can't lab it. This is assuming you intend to send it to a specific pool but if not you can change the action in the if statement matching TEMP_OU to whatever action you would like.

        when CLIENTSSL_CLIENTCERT priority 500 {

    set cert_subject [X509::subject [SSL::cert 0]]

    # release any stored data just in case
    HTTP::release
    # if there is still no cert after the SSL renegotiation kill the connection by sending a reset back to the client
    if { [SSL::cert count] < 1 } {
        reject
    }

}
 
when HTTP_REQUEST priority 500 {
 
    if { [class --match [getfield [IP::client_addr] "%" 1] equals ip_allow] } {

        set TEMP_OU [class --match -value [getfield [IP::client_addr] "%" 1] equals ip_allow]
        
        if { ${cert_subject} == ${TEMP_OU} } {
            pool <pool_name>
        }

    } else {
        reject
    }

}

         

  • sajjadali1122's avatar
    sajjadali1122
    Icon for Nimbostratus rankNimbostratus
    Nov 05, 2024

     

    To match the pair of IP and OU, use an iRule during the SSL handshake. Extract the client's IP and the "OU" from the certificate. Then, match the IP in your data group and check if the stored value (OU) matches:

    1. Extract the client IP and OU.
    2. Check if the IP exists in your data group.
    3. Compare the stored value (OU) with the extracted OU.