For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

DannyG_34437's avatar
DannyG_34437
Icon for Cirrus rankCirrus
Sep 20, 2013

iOS Moble Client side check of certificate in APM using Edgeclient

Hi, I have a working SSL/VPN that works with browsers and edge clients. Currently, only AD UID and PW are used for access. I'd like to change my mobile devices over to using the edge client with a certificate. We currently use our MDM to push the Edgecleint down to the mobile device as well as a certificate.

 

Just having a hard time wrapping my head around the steps necessary to make this happen. For instance, how do I actually check the certificate on the mobile device? Do I somehow compare it to the certificate on the MDM server or load the certificate on the F5?

 

Not necessarily looking for a step by step guide (would be nice though), but more of an overall this is how it is done...

 

Any help with this would be most appreciated.

 

Thanks, Danny

 

3 Replies

  • boneyard's avatar
    boneyard
    Icon for MVP rankMVP
    Sep 23, 2013

    usually you do client cert auth by configuring the correct settings on the ssl profile connected to the virtual server to which the connection is setup to request a client certificate. you then select (depending on used OS) to present the certificate and if that certificate comes from the correct CA (configured on the ssl profile) the session continues.

     

    is that enough of a start?

     

  • DannyG_34437's avatar
    DannyG_34437
    Icon for Cirrus rankCirrus
    Sep 23, 2013

    Hi boneyard, thanks for the response. Being fairly new with the LTM/APM environment i'll need to digest this, but sounds logical. Also, I found this document that I am reading at the moment: "BIG-IP APM and BIG-IP Edge Client for iOS 1.0.6" which was updated on 9/19/13. The document mentions "On demand VPN using a client side certificate". That sounds like what I'm trying to accomplish. Thoughts?

     

    Thanks, Danny

     

  • boneyard's avatar
    boneyard
    Icon for MVP rankMVP
    Sep 25, 2013

    you mean right at the start of chapter 1? that sounds what you want indeed.

     

    the rest of the document feels a bit fragmented, i don't know if i could setup what you want with it. but see how far you get and if you get stuck just post here. in principe you just make a network connect setup in APM, which you can connect to with an edge client. there is more documentation out there.