For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Aviv's avatar
Aviv
Icon for Cirrus rankCirrus
Jan 13, 2016

On-Demand certificate authentication

On-Demand certificate authentication

 

i have an apm policy that use On-Demand certificate authentication (smartcard)

 

win8,10 are always authenticate without problem with ie11 or chrome. some windows 7 sp1 clients can authenticate and some even do not get prompt of certificate. the same win7 computers with the same smartcard can authenticate to other sites that request smartcard.

 

this is the log from the apm event log: Access_Profile=/Access/Com_Auth_Apps_Portal;Partition=Access;Session_ID=b64a0179;Client_IP=100.219.226.2;State=Tel Aviv;Country=IL;Continent=AS;Virtual_IP=172.126.50.12;Listener=/Access/Portal_Com_VS;Reputation=Unknown;" Access_Profile=/Access/Com_Auth_Apps_Portal;Partition=Access;Session_Id=b64a0179;Policy_Rule_Caption=fallback;Current_Node=On-Demand Cert Auth;Next_Node=Deny;" Access/Com_Auth_Apps_Portal;Partition=Access;Session_Id=b64a0179;Access_Policy_Result=Logon_Deny;" Client_Hostname=;Client_Type=IE;Client_Version=11;Client_Platform=Win7;Client_CPU=WOW64;Client_UI_Mode=Full;Client_JS_Support=1;Client_Activex_Support=1;Client_Plugin_Support=0;"

 

i thought of windows updates and tried to compare updates from computer that work vs not working ,there were a lot of updates that do not exist in the working win7 computer . i tried to remove some without luck. maybe someone know if there is a know issue about this problem? maybe it is a cipher issue in the ssl client profile?

 

any help will be appriciated.

 

Thanks,

 

Aviv Hassidim

 

application delivery
BIG-IP Access Policy Manager (APM)

3 Replies

  • amolari's avatar
    amolari
    Icon for Cirrostratus rankCirrostratus
    Jan 14, 2016

    Hi

     

    I think the only way to troubleshoot this is a tcpdump. Look if the SSL handshake goes to the point that the Bigip asks for client cert auth. If it does and you do not see the client presenting a certificate, verify if there is any issue with the certificate propagation to the user cert store.

     

    Alex

     

  • Aviv's avatar
    Aviv
    Icon for Cirrus rankCirrus
    Jan 18, 2016

    the problem was that my cert have diffrent Advertised Certificate Authoritie than the over user cert ,and when i have changed in the ssl client profile the Advertised Certificate Authorities cetficate to match the over user cert it works. now i want Coexistence of Advertised Certificate Authorities , i mean to have 2 Advertised Certificate Authorities for the same ssl client pofile to support both smartcards. how can i do it?

     

    Thanks, Aviv Hassidim

     

  • amolari's avatar
    amolari
    Icon for Cirrostratus rankCirrostratus
    Jan 18, 2016

    you can bundle (append/paste the 2 certificates) them when creating a certificate in the SSL certificate GUI menu.