Forum Discussion
eric_156978
Cirrus
CirrusOn-Demand Cert Auth Error Capturing
Hi,
I have an F5 terminating SSL and an access policy that uses "On-Demand Cert Auth" to get a client certificate, validate it, and authenticate it against an Active Directory server.
This...
kunjan_118660
Cumulonimbus
CumulonimbusYou can have an 'logging' agent in the fallback path to log session.ssl.cert.valid and modify the 'Edit Endings' in the VPE to present customized error page.
Or can have iRule to have more custom response using ACCESS:respond
when ACCESS_POLICY_COMPLETED {
set policy_result [ACCESS::policy result]
switch $policy_result {
"allow" {
Do nothing
}
"deny" {
ACCESS::respond 401 content "Error: Failure in Authentication" Connection Close
}
}
}
eric_156978Cirrus
CirrusHi kunjan,
Thanks for the info. I didn't realize "ACCESS:respond" existed, I think that's what i'll end up using.
I tried putting your irule in place, but i can't seem to get it to respond properly or confirm that it is being processed.
Steps:
1. Open a new browser session incognito so no cookies/ssl persistence exists.
2. Get prompted for a certificate, purposefully hit cancel to not select client certificate.
3. IE: Page cannot be displayed. Chrome: ERR_CONNECTION_RESET
I've tried a few different methods to capture the failure, but every time I try a respond iruile, it seems like the SSL connection bombs out and the page won't present content.
The first step in my access policy is a "on demand cert auth" and if it fails, it goes to "deny".
Would there be something that needs to be adjusted with the access policy to allow those errors to be captured/handled?
