Forum Discussion

b_carreker's avatar
b_carreker
Icon for Nimbostratus rankNimbostratus
Aug 16, 2023

DoD CAC Auth with LTM

Hello,

I am attempting to configure our F5s to require user to authenticate using their DoD CAC to gain access to our test apps behind the F5s. 

Originally, I've tried the following configuration within the SSL Client Profile, but the webpage did not display: 

Is there an iRule or another method that could resolve this? I was thinking the issue is from the SSL_CLIENT_CERT HTTP header missing, but I'm not sure. 

 

application delivery
cloud
  • PeteWhite's avatar
    PeteWhite
    Aug 17, 2023

    If you want to authenticate the user's client certificate on the BIG-IP then you use the Client SSL profile as you have done. When they connect they will be presented with a dialog box asking for a cert, if it is incorrect they will get an SSL error. This can also be done with APM which gives a nicer user experience ie it can tell them what went wrong, or you can do that with iRules.

    However, if you then want to present that client certificate to the web server then you need to work out how to do that. Essentially there are two ways - add the client cert in an HTTP header (using an iRule or policy), or present it at the SSL layer using Client Certificate Constrained Delegation (C3D) https://my.f5.com/manage/s/article/K14065425 

     

  • PeteWhite's avatar
    PeteWhite
    Icon for Employee rankEmployee
    Aug 17, 2023

    If you want to authenticate the user's client certificate on the BIG-IP then you use the Client SSL profile as you have done. When they connect they will be presented with a dialog box asking for a cert, if it is incorrect they will get an SSL error. This can also be done with APM which gives a nicer user experience ie it can tell them what went wrong, or you can do that with iRules.

    However, if you then want to present that client certificate to the web server then you need to work out how to do that. Essentially there are two ways - add the client cert in an HTTP header (using an iRule or policy), or present it at the SSL layer using Client Certificate Constrained Delegation (C3D) https://my.f5.com/manage/s/article/K14065425 

     

  • LiefZimmerman's avatar
    LiefZimmerman
    Icon for Admin rankAdmin
    Aug 21, 2023

    b_carreker - If your post was solved it would be helpful to the community to select *Accept As Solution*.
    This helps future readers find answers more quickly and confirms the efforts of those who helped.
    Thanks for being part of our community.
    Lief

    • b_carreker's avatar
      b_carreker
      Icon for Nimbostratus rankNimbostratus
      Aug 16, 2023

      SSL is being passed to the pool members. WE're set up for SSL bridging. 443 on both ends.