Forum Discussion
NimbostratusMachine Cert Check with OCSP failure check / Fall back to CRL
Hi, Running APM Edge 11.4.1 I'm trying to implement a solid SSO APM policy for Bitlocker secured Windows 8 build which will be robust enough to work even if an OCSP is offline.
Background of this is I want to create a SSO for windows 8 users coming in on (1) specific IP network ranges using our Corporate SOE. (2) Check their machine has a valid machine cert (ocsp check with fallback to CRL) followed by a (3) Kerberos check to ascertain the Users Windows Account is valid and then if all good (4) assign them VPN Access.
If all this works as planned we should have a simple (for the end user anyway) secure solution which allows our on campus users a secure VPN tunnel via Wifi without the need to Manually auth until they go onto an unknown WIFI AP. (Reason being we treat our Wifi network as an untrusted network hence the need to VPN).
Now I've got our CRL's consolidation working via this script https://devcentral.f5.com/questions/automaticlly-update-crl with some tweaks.
I'm having difficulties finding how to invoke a Machine Cert check with iRule which allows CRL failover. The APM OOTB Machine Cert Checker Policy doesn't quite cut it in regards to the Fall back requirement.
I have found this link https://devcentral.f5.com/questions/ocsp-with-crl-fallback but this seems to only apply to Client SSL certs. Is there another event I can call that would do the same checks for a Machine cert?
I am also having limited success getting Kerberos to work consistently however I think this is due to some helpful DC issues and IE11 "features"
Any suggestions / help would be appreciated.
Thanks
7 Replies
- boneyard
MVP
i believe that except for how windows uses them there is no difference between client and machine certificates. have you tried to make this work with the irules that work for "client" certificates? 
Brent_JThanks for the reply boneyard. I haven't been able to find a way to specify via iRule to request the machine cert. The only option appears to be request the client cert. The machine cert seems require you to define the location of the cert.. i.e in MY / LocalMachine Certifcate store etc.
Will raise a case with support and reports findings here if they come back with anything.
Thanks again.
amolariCirrostratus
Hi Brent. Got any update from support? Raised a RFE? Thanks Alex
- Brent_J
Have asked for a RFE to be raised. Has been a bit tardy on the response so far. Just answering their questions from PD regarding why this would be a good idea. So hopefully get a RFE reference soon. Also doesn't seem to be any way of requesting a machine cert at this time via iRule. Only User certs are currently supported which is frustrating.
Regards, Brent
vandenhoutenp_9Hi Brent, I'm trying to do something similar. We don't have an OCSP responder available, is there an easy way to use a static CRL or the CRLDP in the machine cert to check the revocation status? I've tried a standard CRLDP check in the access policy directly after the machine cert auth check but this seems to revert to the client/user certificate that is presented at the start of the access policy. Thanks Peter
- amolari
you can use a static/local CRL. Just configure the CA profile (the same as for client certificate.. SSL profiles) and set it in the MachineCert VPE object.
