Forum Discussion
William_Them_99
Nimbostratus
NimbostratusRedirect after when AUTH_FAILURE
We have iRules to handle authentication of client cert attributes against an LDAP tree. Right now, when the user fails to authenticate with LDAP, the code does this:
when AUTH_F...
William_Them_99Nimbostratus
NimbostratusThis is our Auth rule:
when CLIENTSSL_CLIENTCERT
{
set issuer [X509::issuer [SSL::cert 0]]
if {$issuer contains "Verisign"}
{
log local0. "Issuer is $issuer"
log local0. "Setting to profile test_ldap Verisign"
set myprofilename "test_ldap_profile"
set tmm_auth_ssl_cc_ldap_sid [AUTH::start pam $myprofilename]
AUTH::cert_credential $tmm_auth_ssl_cc_ldap_sid [SSL::cert 0]
AUTH::authenticate $tmm_auth_ssl_cc_ldap_sid
SSL::handshake hold
}
}
when AUTH_SUCCESS
{
log local0. "auth_success"
if {$tmm_auth_ssl_cc_ldap_sid eq [AUTH::last_event_session_id]}
{
SSL::handshake resume
}
}
when AUTH_FAILURE
{
if {$tmm_auth_ssl_cc_ldap_sid eq [AUTH::last_event_session_id]}
{
reject
}
}
when AUTH_WANTCREDENTIAL
{
if {$tmm_auth_ssl_cc_ldap_sid eq [AUTH::last_event_session_id]}
{
reject
}
}
when AUTH_ERROR
{
if {$tmm_auth_ssl_cc_ldap_sid eq [AUTH::last_event_session_id]}
{
reject
}
}
With more logging, I found that when a user comes in with a client certificate that is not in the LDAP, none of the AUTH_FAILURE, AUTH_WANTCREDENTIAL, or AUTH_ERROR events seem to be firing...I didn't see any of my log statements in /var/log/ltm other than the default pam_authenticate: 6 AUTH: Permission denied messages.
So maybe I need to put this HTTP::respond thing somewhere else?
