ActiveSync Client Cert Auth - no password prompt

Question

I've seen a few threads, tagged on to some of them, but still no real solid answers.  I would like to know the recommended / best config to implement client certificate authentication for ActiveSync.&nbsp;
There are references to the built-in irule _sys_apm_activesync as a solution but also several comments from F5 that it is highly preferred to use the Exchange iapp.&nbsp;
I am provisioning the client cert from AirWatch.  My current config is good for passing the cert check, I have not yet stepped into using the cert for authentication.&nbsp;
I see a few options, what is best?&nbsp;
Which is preferred for ActiveSync (EAS)? 
- configure 2nd iapp specific to EAS, remove irules, Exchange Profile add _sys_apm_activesync irule?
- configure 2nd iapp specific to EAS, keep irules, Exchange Profile - if so what is recommended for client cert auth?
- Configure without the iapp, use _sys_apm_activesync irule? &nbsp;

fred_slater_856 · Accepted Answer

Configure 2nd iApp for EAS, keep iRules, attached 'exchange' profile. The APM docs on AskF5 outline on-demand cert auth: https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-authentication-single-sign-on-12-0-0/17.htmlconceptid. The proper APM profile should handle clientless mode.

the-messenger · Answer

Thanks Fred!&nbsp;
I have done as you suggest.
Configured second iapp with ActiveSync specific selections.
Configured ClientSSL profile adding the client authentication information.
    prior to this I configured our AD Certificate Authority
In the Access profile, I have added a client cert inspection branch before the logon page.&nbsp;
Airwatch sends the cert/payload, APM checks for a valid cert, sends on the next step in the policy. iOS and Android devices are checking successfully.&nbsp;
Works great!&nbsp;

the-messenger · Answer

Thanks for the help on this Fred. Going back to this thread, I am good with verifying the cert issued by our CA, I can require it as 1 authentication method.  But I have not been able to use it as my only authentication method, there are pieces missing.&nbsp;
I've seen an ask f5 guide for this with older versions, but nothing for 12.1.1 or beyond.  Have you seen a doc, or can you help, with the pieces required for client cert auth, no password?&nbsp;

Forum Discussion

ActiveSync Client Cert Auth - no password prompt

3 Replies

Recent Discussions

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

Pricing when used with aws waf

F5 terminal - help to run commands - disk space full

import live updates from version x to version y

Tenant image upgrade

Related Content

Password Safety & Security: Passwords vs. Passphrases

Ansible module to update BIG-IP root/admin passwords

Provision IOS profile for Exchange ActiveSync with client certificate authentication

BIGIQ/DCD and BIGIP Admin password change

iRule based RADIUS Client Stack