For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Wompi_203183's avatar
Wompi_203183
Icon for Nimbostratus rankNimbostratus
Aug 03, 2016

VPN Access with Smartcard for Windows 10 and F5 12.1

Hi,

 

we are trying to configure VPN access with apm and smartcards and have some problems. With F5 12.0 and Windows 8.1 we already had configured the vpn via big-ip edge client with smart card and pre logon feature. Setting up a vpn worked fine from windows logon via dial up connection and from windows (in windows with edge client and dial up connection).

 

With F5 12.1 and windows 10 we get an error during logon like here https://devcentral.f5.com/questions/using-apm-with-windows-pre-logon-feature

 

It asks for the client certificate, proceeds to the client checks and after 'Authenticated' a popup comes with Error 702: Device response received when none expected.

 

With big-ip edge client it works but not with dial-up connection. Neither from windows logon (with pre logon sequence) nor from windows.

 

So two questions:

 

  1. Does anyone have a working vpn login with smard card in windows 10 with the pre logon sequence feature?

     

  2. What I have read, big-ip edge client isn't supported on windows 10. Instead you should use the f5 access app from windows store. But the app doesn't seem to support smartcards. Is there any possiblity to use smartcards from the app with vpn?`

     

Thank you very much

 

Best regards

 

Mark

 

application delivery
BIG-IP Access Policy Manager (APM)

3 Replies

  • Lucas_Thompson_'s avatar
    Lucas_Thompson_
    Historic F5 Account
    Aug 03, 2016

    The thing you're using is called "windows logon integration", or at least that's what F5 calls it. That 702 error can happen if the SSL handshake doesn't work for some reason. Make sure you haven't messed with the ciphers in the clientssl profile.

     

    If that doesn't fix it, probably time to open a support ticket.

     

    • Wompi_203183's avatar
      Wompi_203183
      Icon for Nimbostratus rankNimbostratus
      Aug 04, 2016

      Hi,

       

      thank you very much for your answer. I haven't changed any cipher suites in the client ssl profiles.

       

      Accidentially I have found a workaround. After your answer I have seen that the ltm showed the following message:

       

      Connection error: ssl_shim_vfycerterr:4530: application verification failure (46) during vpn login.

       

      With this message in google I stumbled across "On-Demand Cert Auth". Before we had only set require in client ssl profile. If we use "On-Demand Cert Auth" with require in APM and set the client ssl profile to ignore the VPN with smartcard auth works again with the dial up connection and windows logon integration.

       

      Thank you very much.

       

      Best regards

       

      Mark

       

    • Lucas_Thompson_'s avatar
      Lucas_Thompson_
      Historic F5 Account
      Aug 04, 2016

      Oh, that's very interesting. Glad you've got it working. What documentation have you been using to set it up? I'd like to double check that it has the correct information in this area.