Forum Discussion
awan_m
Cirrostratus
CirrostratusDatagroup with address and value
Hi - want to do a check on F5 when ssl handshake - extract OU from certificate and validate it against client IP . so i created a data group with address and value Question how would i match the...
Paulius
MVP
MVPawan_m I believe the following link is a similar rule to what you're looking for.
Selective URL client cert authentication with OU check | DevCentral
To go a bit further, do you require an IP match first or an OU match first?
awan_mits a key pair match
ip and OU need to match as they are locked to each other
10.10.10.0/24 IPs must have Prod - else drop
20.20.20.0/24 Must have Staff - else drop
- Paulius
awan_m I believe the following will work for you but I'm not 100% positive because I can't lab it. This is assuming you intend to send it to a specific pool but if not you can change the action in the if statement matching TEMP_OU to whatever action you would like.
when CLIENTSSL_CLIENTCERT priority 500 { set cert_subject [X509::subject [SSL::cert 0]] # release any stored data just in case HTTP::release # if there is still no cert after the SSL renegotiation kill the connection by sending a reset back to the client if { [SSL::cert count] < 1 } { reject } } when HTTP_REQUEST priority 500 { if { [class --match [getfield [IP::client_addr] "%" 1] equals ip_allow] } { set TEMP_OU [class --match -value [getfield [IP::client_addr] "%" 1] equals ip_allow] if { ${cert_subject} == ${TEMP_OU} } { pool <pool_name> } } else { reject } }- awan_m
thanks - i will start testing it this week