Mac will not pass Issuer Cert to F5 APM On-Demand Cert Auth

Question

We are wanting to enable cert auth on top of AD auth in our Access Policy. Here's what the Policy looks like:&nbsp;
Logon --&gt; AD Auth --&gt; Route Domain --&gt; On-Demand Cert Auth --&gt; Client OS --&gt; Health Check --&gt; Allow&nbsp;
We create a unique user cert from our Internal CA for each of our VPN users.  The cert also includes the Issuer Cert.&nbsp;
Window computers have no problem logging in and supplying both the main user cert AND Issuer cert.&nbsp;
Macs only send the user cert.  F5 only checks to see if the Issuer Cert is valid within the user cert.  Since the Macs don't send the Issuer, they fail the On-Demand Cert Auth Item and are denied.&nbsp;
How do we get our Macs to send the Issuer cert that's associated with the user cert?&nbsp;
.&nbsp;
.&nbsp;
We are using a wildcard cert for our VPN site if that makes a difference.&nbsp;
On-Demand Cert Auth:  "expr { [mcget {session.ssl.cert.valid}] == "0" }"&nbsp;
Client Certificate: "request"
Frequency: "always"&nbsp;
Issuer Cert is installed on F5 so it is trusted and working with Windows PCs.&nbsp;

gianrico · Answer

Have you tried to change the "certificate chain traversal" setting in the client ssl profile&nbsp;
--
gianrico&nbsp;

Forum Discussion

Mac will not pass Issuer Cert to F5 APM On-Demand Cert Auth

1 Reply

F5 Academy at AppWorld 2026

Introducing the F5 AI Assistant for BIG-IP

Recent Discussions

Illegal Metacharacter in Parameter Name in Json Data

Cisco TACACS+ Config on ISE LTM Pair

Checking for X-Forwarded-For against an Address Data-Group

SSL Bridging and FQDN rewrite Policy

How can I get started with iCall

Related Content

APM Cookbook: On-Demand VPN for iOS Devices

APM SAML IdP - SP Issuer Extraction

On Demand VPN sur iOS

F5 Friday: Domain Sharding On-Demand

F5 on demand Video – Synthesis

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS