iRule for client certificate

Question

We would like to have F5 configured to not always request client certificate authentication, but to request it only when the path matches specific URL

simon_blakely · Answer

Look at SSL Renegotiation:&nbsp;WhiteBoard Wednesday: SSL Renegotiation&nbsp;&nbsp;SSL Profiles Part 6: SSL Renegotiation&nbsp;

simon_blakely · Answer

SSL::renegotiate&nbsp;provides a suitable example.

bill_at_f5 · Answer

This is a good use case for APM's "Per Request Policy" feature. You can create URL branches which require authentication and portions of the site which does not. This could also enable "step-up" authentication use cases where access to certain parts of a site could require stronger authentication.

On-Demand Cert Authentication or ODCA is an option in a Per Request Policy.

On Demand Certificate Authentication

https://techdocs.f5.com/en-us/bigip-15-1-0/big-ip-access-policy-manager-authentication-methods/on-demand-certificate-authentication.html

How Step-up Authentication works:

https://techdocs.f5.com/en-us/bigip-15-1-0/big-ip-access-policy-manager-per-request-policies/using-step-up-authentication/concepts-to-know-for-building-step-up-authentication/how-step-up-authentication-works.html

Step-up Authentication with Client Certificate example:

https://techdocs.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-authentication-sso-13-0-0/20.html

Forum Discussion

iRule for client certificate

Recent Discussions

AS3 Limitations

Help needed with iRule (connection closed log )

Use of SSL Decryption.

VLAN Failsafe Functionality

FTP PASV mode to Extended Passive mode

Related Content

HTTPS Routing based on Client Certificates values with F5 Distributed Cloud

Thumbprint of the client ssl certificate

Client-Certificate and IP-Whitelisting via Policy or iRule?

iRule based RADIUS Client Stack

BIG-IQ Client Certificate (PKI) Authentication

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS