Forum Discussion

Tamer_Ezzat_235's avatar
Tamer_Ezzat_235
Icon for Nimbostratus rankNimbostratus
Jan 25, 2016

SSL profile USB-token to authenticate the clients

Hi all,   How to configure SSL client profile for USB-token to authenticate the clients on /admin directory only ?   https://www.example.com/admin   I mean I need to authenticate the clients...
application delivery
LTM
Kai_Wilke's avatar
Kai_Wilke
Icon for MVP rankMVP
Jan 25, 2016

Hi Tamer,

You may take a look to the links below. The links are showing you the needed syntax to overwrite the configured SSL-Profile settings to require Auth/Client-Certs on a request basis, and to re-negotiates the SSL connection on the fly...

https://devcentral.f5.com/articles/selective-client-cert-authentication

https://devcentral.f5.com/wiki/iRules.SSL__authenticate.ashx

A sample iRule would look like that...

when CLIENTSSL_HANDSHAKE { 
    if { [SSL::cert count] == 0 } { 
        log -noname local0.debug "Client cert is not OK; rejecting TCP connection." 
        reject
    } else {
        log -noname local0.debug "Client cert is OK; releasing HTTP request." 
        HTTP::release 
    }
}
when HTTP_REQUEST {
    if { [string tolower [[HTTP::uri]] starts_with "/admin" } then {
        log -noname local0.debug "Certificate required for: [HTTP::uri]" 
        if { [SSL::cert count] == 0} { 
            log -noname local0.debug "No cert found. Holding HTTP request until a client cert is presented..." 
            HTTP::collect 
            SSL::authenticate always 
            SSL::authenticate depth 9 
            SSL::cert mode require 
            SSL::renegotiate 
        }
    }
}

Note: Once the functionality is verified, you may remove/comment the 

[log]
commands.

Cheers, Kai