Forum Discussion

Mr_Moody's avatar
Icon for Nimbostratus rankNimbostratus
Sep 22, 2020

Help with irule for bypassing client authentication certificates by IP

Hello, I'm looking for help with an irule that will bypass the client authentication certificate for a group of ip addresses. Currently we have the client cert auth working with a client ssl profile in LTM set to require client authentication. We would like to allow certain IP addresses access to the site without client certificates.

I assume that I would need to change the ssl profile to 'request' client auth and create an irule to handle things from there. I think the logic should be something to the affect:

if ip is in data group list of IP addresses->allow access without cert

request client certificate->if valid cert presented->allow access

If no cert and not on list->deny access


Any help would be appreciated.


2 Replies

  • Hi


    You could create a second SSL profile that doesn't require client auth and then use this profile for specific IPs. There's an example here on clouddocs

  • Thank you for the response. Your answer helped me end up with the below. The key was that the ssl profile assigned to the VS had to be set to ignore.

    when HTTP_REQUEST {

      if {[HTTP::uri] starts_with "/uri1" || [HTTP::uri] starts_with "/uri2"} {

       if {not [matchclass [IP::remote_addr] equals NOCERT_IP_LIST]} {

        SSL::session invalidate

        SSL::authenticate always

        SSL::authenticate depth 9

        SSL::cert mode require

        set cmd "SSL::profile /Common/require_clientssl"

        eval $cmd


        event disable all