cancel
Showing results for 
Search instead for 
Did you mean: 

Help with irule for bypassing client authentication certificates by IP

Mr_Moody
Nimbostratus
Nimbostratus

Hello, I'm looking for help with an irule that will bypass the client authentication certificate for a group of ip addresses. Currently we have the client cert auth working with a client ssl profile in LTM set to require client authentication. We would like to allow certain IP addresses access to the site without client certificates.

I assume that I would need to change the ssl profile to 'request' client auth and create an irule to handle things from there. I think the logic should be something to the affect:

if ip is in data group list of IP addresses->allow access without cert

request client certificate->if valid cert presented->allow access

If no cert and not on list->deny access

 

Any help would be appreciated.

 

2 REPLIES 2

iaine
MVP
MVP

Hi

 

You could create a second SSL profile that doesn't require client auth and then use this profile for specific IPs. There's an example here on clouddocs

Mr_Moody
Nimbostratus
Nimbostratus

Thank you for the response. Your answer helped me end up with the below. The key was that the ssl profile assigned to the VS had to be set to ignore.

when HTTP_REQUEST {

  if {[HTTP::uri] starts_with "/uri1" || [HTTP::uri] starts_with "/uri2"} {

   if {not [matchclass [IP::remote_addr] equals NOCERT_IP_LIST]} {

    SSL::session invalidate

    SSL::authenticate always

    SSL::authenticate depth 9

    SSL::cert mode require

    set cmd "SSL::profile /Common/require_clientssl"

    eval $cmd

    SSL::renegotiate

    event disable all

  }

}

}