cancel
Showing results for 
Search instead for 
Did you mean: 

ActiveSync Client Cert Auth - no password prompt

The-messenger_1
Nimbostratus
Nimbostratus

I've seen a few threads, tagged on to some of them, but still no real solid answers. I would like to know the recommended / best config to implement client certificate authentication for ActiveSync.

 

There are references to the built-in irule _sys_apm_activesync as a solution but also several comments from F5 that it is highly preferred to use the Exchange iapp.

 

I am provisioning the client cert from AirWatch. My current config is good for passing the cert check, I have not yet stepped into using the cert for authentication.

 

I see a few options, what is best?

 

Which is preferred for ActiveSync (EAS)? - configure 2nd iapp specific to EAS, remove irules, Exchange Profile add _sys_apm_activesync irule? - configure 2nd iapp specific to EAS, keep irules, Exchange Profile - if so what is recommended for client cert auth? - Configure without the iapp, use _sys_apm_activesync irule?

 

1 ACCEPTED SOLUTION

Fred_Slater_856
Historic F5 Account

Configure 2nd iApp for EAS, keep iRules, attached 'exchange' profile. The APM docs on AskF5 outline on-demand cert auth: https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-authentication-single-sign-o.... The proper APM profile should handle clientless mode.

 

View solution in original post

3 REPLIES 3

Fred_Slater_856
Historic F5 Account

Configure 2nd iApp for EAS, keep iRules, attached 'exchange' profile. The APM docs on AskF5 outline on-demand cert auth: https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-authentication-single-sign-o.... The proper APM profile should handle clientless mode.

 

Thanks Fred!

 

I have done as you suggest. Configured second iapp with ActiveSync specific selections. Configured ClientSSL profile adding the client authentication information. prior to this I configured our AD Certificate Authority In the Access profile, I have added a client cert inspection branch before the logon page.

 

Airwatch sends the cert/payload, APM checks for a valid cert, sends on the next step in the policy. iOS and Android devices are checking successfully.

 

Works great!

 

Thanks for the help on this Fred. Going back to this thread, I am good with verifying the cert issued by our CA, I can require it as 1 authentication method. But I have not been able to use it as my only authentication method, there are pieces missing.

 

I've seen an ask f5 guide for this with older versions, but nothing for 12.1.1 or beyond. Have you seen a doc, or can you help, with the pieces required for client cert auth, no password?