Forum Discussion
Azzeddine_S
Cirrus
CirrusF5 APM Check Domain Membership
Hi all,
When it comes to validate a computer before give access to the corporate network it seems obvious and mandatory to check if it is part of the active directory, the way it is done on F5 APM through the VPE is to check whether or not a the following windows registry key is present and valid :
"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters"."Domain"="example.F5.com"
Source :
https://my.f5.com/manage/s/article/K93754211
This method does the job but in risky way; anybody can mimic this value and get access to the internal resources with personal devices to exfiltrate / leak / steal data which is for some organisation a very big deal.
More dangerous , these devices could be compromised .....
The question is is there any non fakable way (it should exist) to validate if a computer is a member of a domain.
Thanks a lot for all of you
- whisperer
MVP
Anything can be faked 😉 However, it is a bit more difficult to forge SSL certificates! Additionally, you can always revoke them individually if a device is reported stolen for instance.
Here is a good start for this:
https://my.f5.com/manage/s/article/K12354
- Azzeddine_S
Hi Whisperer,
First thanks for your reply and help.
I am also following that way to secure the access by creating a lab as follows :
----------- Server-01
Client PC ----------- Router ----------- BIG-IP-VE ----------- Router
| ----------- Server-02
|
|
Active Directory
with CAClient PC: Windows 10
Routers : VyOS
BIG-IP: Version 17.x
Servers : Rocky Linux with Apache
Active directory : Windows Server 2022
but i could not find a good documentation about how to integrate the BIG-IP with the CA.
have you ever succeded to doit?
if so do you have any documentation to sharethanks in advance.
McKinleyNimbostratus
To disable TLSv1.0 and TLSv1.1 for the device SSL certificate on an F5 device, you can follow these steps:
Access the F5 device's command-line interface (CLI) using SSH or console access.
Log in with appropriate administrative credentials.
Once logged in, enter the following command to access the device's configuration utility:
tmsh
Next, run the following command to modify the device certificate's SSL profile:
modify sys ssl-cert <certificate-name> defaults-from <existing-ssl-profile>
Replace <certificate-name> with the name of the device certificate you want to modify, and <existing-ssl-profile> with the name of the SSL profile from which you want to inherit settings. This could be an existing SSL profile or a custom SSL profile you have previously created.
After executing the previous command, you will be in the context of the modified certificate. Run the following command to access the SSL profile associated with the certificate:
modify sys ssl-cert <certificate-name> cert-key-chain cert-key-list <cert-key-list-name> profile
Replace <cert-key-list-name> with the name of the certificate key list associated with the device certificate.
Finally, run the following command to disable TLSv1.0 and TLSv1.1 for the device certificate:
modify sys ssl-cert <certificate-name> cert-key-chain cert-key-list <cert-key-list-name> ciphers <ciphers>
Replace <ciphers> with the list of ciphers you want to use for the device certificate, excluding the ones that support TLSv1.0 and TLSv1.1. You can specify a comma-separated list of ciphers.
For example, a sample command to disable TLSv1.0 and TLSv1.1 and enable only TLSv1.2 and TLSv1.3 might look like this:
modify sys ssl-cert <certificate-name> cert-key-chain cert-key-list <cert-key-list-name> ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256"
Save the changes and exit the CLI. YourTexasBenefits Login
By following these steps, you can disable TLSv1.0 and TLSv1.1 for the device SSL certificate on your F5 device. Remember to replace the placeholder values with the appropriate names and settings for your specific environment.
