Forum Discussion
awan_m
Cirrostratus
CirrostratusDatagroup with address and value
Hi - want to do a check on F5 when ssl handshake - extract OU from certificate and validate it against client IP . so i created a data group with address and value Question how would i match the...
awan_mCirrostratus
Cirrostratusits a key pair match
ip and OU need to match as they are locked to each other
10.10.10.0/24 IPs must have Prod - else drop
20.20.20.0/24 Must have Staff - else drop
Paulius
MVP
MVPawan_m I believe the following will work for you but I'm not 100% positive because I can't lab it. This is assuming you intend to send it to a specific pool but if not you can change the action in the if statement matching TEMP_OU to whatever action you would like.
when CLIENTSSL_CLIENTCERT priority 500 {
set cert_subject [X509::subject [SSL::cert 0]]
# release any stored data just in case
HTTP::release
# if there is still no cert after the SSL renegotiation kill the connection by sending a reset back to the client
if { [SSL::cert count] < 1 } {
reject
}
}
when HTTP_REQUEST priority 500 {
if { [class --match [getfield [IP::client_addr] "%" 1] equals ip_allow] } {
set TEMP_OU [class --match -value [getfield [IP::client_addr] "%" 1] equals ip_allow]
if { ${cert_subject} == ${TEMP_OU} } {
pool <pool_name>
}
} else {
reject
}
}
- awan_m
thanks - i will start testing it this week