Forum Discussion
NimbostratusRestrict access to virtual server by IP address and client certificate authentication
I am currently implementing F5 LTM.
I want to restrict access to virtual server by IP address and client certificate authentication.
If the client's IP is not in the address list, then the client can use client certificate authentication.
Is it possible?
Thanks.
PrakinCirrus
Hi,
You can make use of iRules to identify the client IP address from the data group list configured and you can prevent accessing the VS by clients.
- boneyard
MVP
and add to that irule to switch the client ssl profile to one that requires client certificate authentication if the IP is not on the list and you got what you want. it isn't something you can just configure in the GUI, it will require some iRule code and different profiles.
- Carl_20170911
I have tried the following irule but not work.
when CLIENT_ACCEPTED {
set redir 0
if { ! [class match [IP::client_addr] eq EISAllow] } {
log local0. "Dropped connection: client IP [IP::client_addr] is blacklisted."
SSL::enable
set sslenable 0
set redir 1
SSL::profile Client_Cert_Auth_Policy
#drop
}
}
- boneyard
you would enable a profile with SSL client auth by default. not enable it in the iRule.
- nolipineda
Altostratus
Is it possible to extend this solution to restrict access to specific client certificates?
- boneyard
with iRules everything is possible :)
if your client certificates contain a certain CN your can request that and compare it with a list of allowed ones.
there should be enough examples around how to do this.
