Forum Discussion
Ryan_Rowe_79249
Nimbostratus
NimbostratusIp Restrict then client cert check
BigIP 8.3.3 and 8.4.1 (hopefully there is no difference)
So here is what I want to do. If an IP is in a datagroup then passthrough but if not then authenticate with an SSL cert.
I think it would look something like this:
when HTTP_REQUEST {
if {[matchclass [IP::client_addr] equals $::IPdatagroup]{
} elseif {
} elseif {
HTTP::respond 403 content "403 - Forbidden"
}
}
Anyone know the best way to do this I want to basically do Cert Authentication to people not in the IP group.
7 Replies
Ryan_Rowe_79249Here I found this:
http://devcentral.f5.com/Wiki/default.aspx/iRules/ClientCertificateCNChecking.html
In part 3 I have made this but I don't know if it will work so my irule would look like this:when RULE_INIT { set ::debug 1 } when CLIENTSSL_CLIENTCERT { Example Subject DN: /C=AU/ST=NSW/L=Syd/O=Your Organisation/OU=Your OU/CN=John Smith set subject_dn [X509::subject [SSL::cert 0]] if { $subject_dn != "" }{ if { $debug }{ log "Client Certificate received: $subject_dn"} } } when HTTP_REQUEST { if {[matchclass [IP::client_addr] equals $::IPdatagroup]{ } elseif {($subject_dn contains "CN=Company A") } { } } elseif { HTTP::respond 403 content "403 - Forbidden" } } }
Would this work?- Ryan_Rowe_79249So this is what I did and it seems not to work...both profiles work but not the Irule.
when CLIENT_ACCEPTED { if { [matchclass [IP::client_addr] equals $::Test_IPs]} { SSL::profile NoBrowserCert } else { SSL::profile BrowserCert } } when HTTP_REQUEST { SSL::renegotiate }
I got this from http://devcentral.f5.com/wiki/default.aspx/iRules/SSL__profile.html
*edit...Fix the code too many brackets. But I have another issue..It continues to use my noBrowserCert when I try and switch. 
hoolioCirrostratus
Can you remove the HTTP_REQUEST event and retest? Also, you only need one set of square braces around matchclass. It shouldn't matter which client SSL profile you specify in the VIP config as the iRule will set it based on the client IP address check.when CLIENT_ACCEPTED { if { [matchclass [IP::client_addr] equals $::Test_IPs]} { SSL::profile NoBrowserCert } else { SSL::profile BrowserCert } }
If this doesn't work, can you clarify what happens when testing from a client in the Test_IPs class and one not in the class?
Thanks,
Aaron- Ryan_Rowe_79249So if I am not in the Test_ip class it will ask for a cert but then will continue to pass me if I don't have one and if I am in the class then it will just pass me through without asking for a cert. I need it to block me if I don't have a browser cert and am not in the Test_ip class.
the BrowserCert class has request client authentication->Client Certificate for the profile because the require doesn't work for me when just testing out the BrowserCert SSL profile.
*edit - I also removed the http_request. - hoolioIf you want to use this simple iRule and two client SSL profiles, you'll need to set one profile to require a client cert in order to prevent a client without a client cert from accessing the pool. I'd suggest testing the client cert profile further without the iRule. Once you get that working, then you can test the iRule and both profiles.
If you'd like help testing the client cert profile issue, can you post an anonymized copy of the clientssl profile using 'b profile clientssl PROFILE_NAME list'?
Thanks,
Aaron - Ryan_Rowe_79249I opened a ticket with F5 about the SSL profile and they said that they need to switch the client authorization from require to request and that made it work. They said this Try changing the "peer cert mode require" to "peer cert mode request"
The require option (I have been told) does not function correctly and will break client auth in a lot of circumstances.
The request mode still requires the client to auth.
But here is the output of the command
b profile clientssl BrowserCert listprofile clientssl BrowserCert { defaults from clientssl key "Encrypt-Cert.key" cert "Encrypt-Cert.crt" ca file "Encrypt-CA.crt" peer cert mode require authenticate once }
b profile clientssl NoBrowserCert listprofile clientssl NoBrowserCert { defaults from clientssl key "Encrypt-Cert.key" cert "Encrypt-Cert.crt" chain "Encrypt-CA.crt" }
b profile clientssl clientssl listprofile clientssl clientssl { mode enable key "default.key" cert "default.crt" chain none ca file none crl file none client cert ca none ciphers "DEFAULT" modssl methods disable cache size 20000 cache timeout 3600 renegotiate period indefinite renegotiate size indefinite renegotiate max record delay 10 handshake timeout 60 alert timeout 60 peer cert mode ignore authenticate once authenticate depth 9 unclean shutdown enable strict resume disable } - hoolioSetting the client cert mode to request is only useful if the iRule or the web application validates the client cert. If you want LTM to do this using the client SSL profile it must be set to require. If you have a case open with F5 Support, you could ask them to help you capture a tcpdump and use ssldump to troubleshoot the failure. You might also be able to get some relevant info from the /var/log/ltm log file (somewhat doubtful on this though).
If that turns into a dead end, you could use a more complicated iRule which dynamically requests and validates a client cert based on the client IP address.
Aaron
