Forum Discussion
Datagroup with address and value
Hi - want to do a check on F5
when ssl handshake - extract OU from certificate and validate it against client IP .
so i created a data group with address and value
Question how would i match the pair of ip and ou as address and value
Thanks
ltm data-group internal ip_allow {
records {
10.10.10.0/24 {
data Prod
}
20.20.20.0/24 {
data Staff
}
}
type ip
}
- zamroni777Nacreous
you can add logic to verify whether the client ip address belongs to address range.
- awan_mCirrostratus
thanks for the reply -
i want to match both ip and OU
meaning - ip client IP and extracted ou match the address and value in the datagroup
records {
10.10.10.0/24 {
data Prod
}- zamroni777Nacreous
you need to do in 2 steps:
1. determine which address range that the client ip address belongs to (using the above IP:addr .....; loop the address ranges until matching one)
2. check whether the ou matches the address range (using the data group)
awan_m I believe the following link is a similar rule to what you're looking for.
Selective URL client cert authentication with OU check | DevCentral
To go a bit further, do you require an IP match first or an OU match first?
- awan_mCirrostratus
its a key pair match
ip and OU need to match as they are locked to each other
10.10.10.0/24 IPs must have Prod - else drop
20.20.20.0/24 Must have Staff - else drop
awan_m I believe the following will work for you but I'm not 100% positive because I can't lab it. This is assuming you intend to send it to a specific pool but if not you can change the action in the if statement matching TEMP_OU to whatever action you would like.
when CLIENTSSL_CLIENTCERT priority 500 { set cert_subject [X509::subject [SSL::cert 0]] # release any stored data just in case HTTP::release # if there is still no cert after the SSL renegotiation kill the connection by sending a reset back to the client if { [SSL::cert count] < 1 } { reject } } when HTTP_REQUEST priority 500 { if { [class --match [getfield [IP::client_addr] "%" 1] equals ip_allow] } { set TEMP_OU [class --match -value [getfield [IP::client_addr] "%" 1] equals ip_allow] if { ${cert_subject} == ${TEMP_OU} } { pool <pool_name> } } else { reject } }
- sajjadali1122Nimbostratus
To match the pair of IP and OU, use an iRule during the SSL handshake. Extract the client's IP and the "OU" from the certificate. Then, match the IP in your data group and check if the stored value (OU) matches:
- Extract the client IP and OU.
- Check if the IP exists in your data group.
- Compare the stored value (OU) with the extracted OU.
- NevaehBryantNimbostratus
Thank you so much for the help.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com