For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

AlexS_yb's avatar
AlexS_yb
Icon for Cirrocumulus rankCirrocumulus
Apr 08, 2021

using step up auth to client cert want to insert cert into header

So i have a VS where you have to log in. one url /withcert needs to be protected with the user providing a client cert. This is working, i have a per request policy, that matches the url and then us...
BIG-IP Access Policy Manager (APM)
iRules
security
AlexS_yb's avatar
AlexS_yb
Icon for Cirrocumulus rankCirrocumulus
Apr 08, 2021

Yes, well. its step up auth. so its not done on the access policy. but on a pre request policy. and also has to be done as a subroutine, so my reading tells me that per request subroutines don't have access to the session variables as writeable. only readable.

 

quick check via the gui interface and it show that the cert info is in the per request sub session variables. how can I insert headers from a subroutine in a pre request policy .. i thinking the only way is to use a irule event ...

 

but this seems rather hard.

 

Note - i am note sure when access_acl_allowed is fired, but I have checked the session variables - no sign of the cert in the main session variables :(

 

spalande's avatar
spalande
Icon for Nacreous rankNacreous
Apr 12, 2021

In this sceneria, you can still have per session access policy configured for www.example.com VIP. landing uri can be used to seperate VPE flow. domain cookie (example.com) can be used for SSO across multiple sites withing the same domain. per session policy should populate the certificate variables you need.

 

Will keep the forum open for anyone else have idea to share for per request access policy.