For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Yogesh_Joshi's avatar
Yogesh_Joshi
Icon for Nimbostratus rankNimbostratus
May 01, 2020

iRule for client certificate

We would like to have F5 configured to not always request client certificate authentication, but to request it only when the path matches specific URL
iRules
security
Bill_at_F5's avatar
Bill_at_F5
Icon for Employee rankEmployee
May 04, 2020

This is a good use case for APM's "Per Request Policy" feature. You can create URL branches which require authentication and portions of the site which does not. This could also enable "step-up" authentication use cases where access to certain parts of a site could require stronger authentication.

 

On-Demand Cert Authentication or ODCA is an option in a Per Request Policy.

 

On Demand Certificate Authentication

https://techdocs.f5.com/en-us/bigip-15-1-0/big-ip-access-policy-manager-authentication-methods/on-demand-certificate-authentication.html

 

How Step-up Authentication works:

https://techdocs.f5.com/en-us/bigip-15-1-0/big-ip-access-policy-manager-per-request-policies/using-step-up-authentication/concepts-to-know-for-building-step-up-authentication/how-step-up-authentication-works.html

 

Step-up Authentication with Client Certificate example:

https://techdocs.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-authentication-sso-13-0-0/20.html