Configuring Smart Card Authentication to BIG-IP Management Interface
Developed on BIG-IP Version 13.1
It's been quite a while since my last article, so I wanted to come up with something that I know would benefit all current, future and past customers. Over the pas...
Published May 16, 2018
Version 1.0
Aquri
Nimbostratus
NimbostratusI'm receiving certificate invalid errors -- does anyone what I might be doing wrong?
I'm able to get to the login page and requests for my certificate, after entering the pin I receive username/password error.
I have verified ssl-cname-otheroid is correct as per the configuration. Please see the logs and configs below.
Oct 28 21:25:37 ip-hostname err httpd[17103]: [error] [client x.x.x.x] Invalid client certificate provided by /C=**/O=**************/OU=***/OU=***/OU=*************/CN=************************ (Hint: examine 'tmsh list auth cert-ldap' and confirm proper configuration of ssl-cname-field and/or ssl-cname-otheroid properties.)
Oct 28 21:26:48 ip-hostname err httpd[16849]: [error] [client 127.1.1.3] Re-negotiation handshake failed: Not accepted by client!?
(tmos)# list sys httpd
sys httpd {
auth-pam-dashboard-timeout on
auth-pam-idle-timeout 600
ssl-ca-cert-file /Common/Trusted_Bundle
ssl-ocsp-default-responder http://********
ssl-ocsp-enable on
ssl-ocsp-override-responder on
ssl-verify-client require
}
(tmos)# list auth cert-ldap
auth cert-ldap system-auth {
bind-dn "CN=********,OU=*******,OU=********,DC=***,DC=******"
bind-pw **********************8
check-roles-group enabled
debug enabled
login-attribute userPrincipalName
login-filter [a-zA-Z0-9]\\\\w*(\\\?=@)
port ldaps
search-base-dn DC=****,DC=****
servers { ******** }
ssl-ca-cert-file Trusted_Bundle.crt
ssl-client-cert *******************
ssl-client-key *******************
ssl-cname-field san-other
ssl-cname-otheroid 1.3.6.1.4.1.311.20.2.3
sso on
}