On demand Cert authentication - how is the client cert vaidated ?

There's two things to keep in mind when talking about APM On-Demand Certificate authentication:

1. ODCA performs an SSL renegotiation, as in issues a TLS HelloRequest message to the client. The new TLS handshake then includes a CertificateRequest message from the server to get the client's certificate. The "Request" and "Require" options in the ODCA agent indicate how APM validates the client's certificate. The Request selection causes a "fail open" condition if the client doesn't present a certificate or validation fails. The Require selection causes a "fail closed" condition if the certificate isn't presented and/or cannot be validated.

    

2. Certificate evaluation (ie. expiration, validation, trust, and optionally revocation) are all still controlled by the client SSL profile. You should as a general rule configure the client SSL profile exactly as you would for direct LTM-only mutual PKI authentication, but set the Client Authentication option to "Ignore", as APM will set that in the renegotiation.