Forum Discussion

Mike_Ho's avatar
Mike_Ho
Icon for Cirrus rankCirrus
Mar 14, 2021

f5fpc linux client does it support client cert and username/secret auth?

I can't get the linux CLI client to log on successfully using client certificate and username/secret using a login form. Does the f5fpc linux client support authenticating with a client cert and use...
BIG-IP Access Policy Manager (APM)
f5fpc
linux
security
  • Mike_Ho's avatar
    Mike_Ho
    Mar 18, 2021

    I'll answer my own question. The answer is yes you can use client certs in conjunction with username/password auth with the f5fpc client on Linux (on x86_64 and armhf).

     

    The issue I was having (on 15.1.2.1) was as follows. The client cert check was the first step in my per-session policy. It took a lot of troubleshooting to identify that the client cert check results in the contents of session.logon.last.username and session.logon.last.password becoming empty for people using the f5fpc client! Thus my downstream RADIUS auth was failing due to the password having been lost.

     

    I fixed this by doing a custom variable assign before the client cert check, moving session.logon.last.password into a custom secure variable, passing this new variable into the RADIUS auth later. It works swell!

     

    I have a case open with F5 because this seems like a bug to me. If a KB gets issued as a result I'll do my level best to follow up here with that info. Probably nobody else is doing this, but just in case. Cheers.

Mike_Ho's avatar
Mike_Ho
Icon for Cirrus rankCirrus
Mar 18, 2021

I'll answer my own question. The answer is yes you can use client certs in conjunction with username/password auth with the f5fpc client on Linux (on x86_64 and armhf).

 

The issue I was having (on 15.1.2.1) was as follows. The client cert check was the first step in my per-session policy. It took a lot of troubleshooting to identify that the client cert check results in the contents of session.logon.last.username and session.logon.last.password becoming empty for people using the f5fpc client! Thus my downstream RADIUS auth was failing due to the password having been lost.

 

I fixed this by doing a custom variable assign before the client cert check, moving session.logon.last.password into a custom secure variable, passing this new variable into the RADIUS auth later. It works swell!

 

I have a case open with F5 because this seems like a bug to me. If a KB gets issued as a result I'll do my level best to follow up here with that info. Probably nobody else is doing this, but just in case. Cheers.