Help with irule for bypassing client authentication certificates by IP

Mr_Moody · ‎22-Sep-2020

Hello, I'm looking for help with an irule that will bypass the client authentication certificate for a group of ip addresses. Currently we have the client cert auth working with a client ssl profile in LTM set to require client authentication. We would like to allow certain IP addresses access to the site without client certificates.

I assume that I would need to change the ssl profile to 'request' client auth and create an irule to handle things from there. I think the logic should be something to the affect:

if ip is in data group list of IP addresses->allow access without cert

request client certificate->if valid cert presented->allow access

If no cert and not on list->deny access

Any help would be appreciated.

iaine · ‎23-Sep-2020

Hi

You could create a second SSL profile that doesn't require client auth and then use this profile for specific IPs. There's an example here on clouddocs

Mr_Moody · ‎16-Oct-2020

Thank you for the response. Your answer helped me end up with the below. The key was that the ssl profile assigned to the VS had to be set to ignore.

when HTTP_REQUEST {

if {[HTTP::uri] starts_with "/uri1" || [HTTP::uri] starts_with "/uri2"} {

if {not [matchclass [IP::remote_addr] equals NOCERT_IP_LIST]} {

SSL::session invalidate

SSL::authenticate always

SSL::authenticate depth 9

SSL::cert mode require

set cmd "SSL::profile /Common/require_clientssl"

eval $cmd

SSL::renegotiate

event disable all

}

DevCentral

Help with irule for bypassing client authentication certificates by IP

MFA required on DevCentral