Redirect after when AUTH_FAILURE

This is our Auth rule:

 
 when CLIENTSSL_CLIENTCERT 
 {  
   set issuer [X509::issuer [SSL::cert 0]]  
   if {$issuer contains "Verisign"} 
   {  
     log local0. "Issuer is $issuer" 
     log local0. "Setting to profile test_ldap Verisign" 
     set myprofilename "test_ldap_profile" 
     
     set tmm_auth_ssl_cc_ldap_sid [AUTH::start pam $myprofilename]  
     AUTH::cert_credential $tmm_auth_ssl_cc_ldap_sid [SSL::cert 0]  
     AUTH::authenticate $tmm_auth_ssl_cc_ldap_sid     
     SSL::handshake hold  
   } 
 } 
  
 when AUTH_SUCCESS 
 { 
   log local0. "auth_success"  
   if {$tmm_auth_ssl_cc_ldap_sid eq [AUTH::last_event_session_id]} 
   {  
     SSL::handshake resume  
   }  
 } 
  
 when AUTH_FAILURE 
 { 
   if {$tmm_auth_ssl_cc_ldap_sid eq [AUTH::last_event_session_id]} 
   {  
     reject     
   } 
 } 
  
 when AUTH_WANTCREDENTIAL 
 { 
   if {$tmm_auth_ssl_cc_ldap_sid eq [AUTH::last_event_session_id]} 
   {  
     reject     
   } 
 } 
  
 when AUTH_ERROR 
 {    
   if {$tmm_auth_ssl_cc_ldap_sid eq [AUTH::last_event_session_id]} 
   {  
     reject    
   }  
 } 
 

With more logging, I found that when a user comes in with a client certificate that is not in the LDAP, none of the AUTH_FAILURE, AUTH_WANTCREDENTIAL, or AUTH_ERROR events seem to be firing...I didn't see any of my log statements in /var/log/ltm other than the default pam_authenticate: 6 AUTH: Permission denied messages.

So maybe I need to put this HTTP::respond thing somewhere else?

Perhaps you want to add it as an "else" clause after the "if { $issuer contains "Verisign" } {...}"?

I have picked up where Bill left off and still cannot get this to work.

 

The AUTH_FAILURE does fire (I'm not sure if it is because I turned on mod SSL) but when I tried adding the http respond to the AUTH_FAILURE event I get an "operation not supported" in the log. HTTP::redirect and HTTP::uri will not even get saved after updating the iRules. I have also tried setting flags as seen in numerous other appends, but the setting does not get carried outside the AUTH event. I can see the variable get set in the AUTH, but by the time the next even hits, the value is not what it was set to inside the AUTH event (for both successes or failures). I have queried the value in numerous events but it never is the one set in the AUTH event. I was going to try AUTH::status but did not know how to get the authid. When I tried adding AUTH::last_event_session_id inside the HTTP_REQUEST I received an error in the log.) This is the current irule on the server (we have CLIENTSSL_CLIENTCERT events in the AUTH profiles).

 

 

when AUTH_SUCCESS

 

{

 

log local0. "auth_success"

 

set auth_code 0

 

if {$tmm_auth_ssl_cc_ldap_sid eq [AUTH::last_event_session_id]}

 

{

 

SSL::handshake resume

 

}

 

}

 

 

when AUTH_FAILURE

 

{

 

log local0. "auth_failure"

 

set auth_code 1

 

if {$tmm_auth_ssl_cc_ldap_sid eq [AUTH::last_event_session_id]}

 

{

 

log local0. "auth_failure - reject, auth_code is $auth_code"

 

reject

 

HTTP::respond 303 content http://myhost /Errors/AuthenticationFailed.html

 

}

 

}

 

 

when AUTH_WANTCREDENTIAL

 

{

 

log local0. "auth_wantcredential"

 

if {$tmm_auth_ssl_cc_ldap_sid eq [AUTH::last_event_session_id]}

 

{

 

reject

 

}

 

}

 

 

when AUTH_ERROR

 

{

 

log local0. "auth_error"

 

if {$tmm_auth_ssl_cc_ldap_sid eq [AUTH::last_event_session_id]}

 

{

 

reject

 

}

 

}

 

when HTTP_REQUEST {

 

log local0. "in http request, auth_code is $auth_code"

 

if {$auth_code eq 1} {

 

log local0. "Found Error in http request"

 

HTTP::redirect http://myhost/Errors/AuthenticationFailed.html

 

}

 

}

That is because client cert auth happened before HTTP was active. You may have to postpone auth, try to replace CLIENTSSL_CLIENTCERT with HTTP_REQUEST if this delay is acceptable.

 

 

Also replace "SSL::handshake hold" with HTTP::collect, replace "SSL::handshake resume" with HTTP::release

Thanks very much. This worked for us.