cancel
Showing results for 
Search instead for 
Did you mean: 

iRule for client certificate

Yogesh_Joshi
Nimbostratus
Nimbostratus

We would like to have F5 configured to not always request client certificate authentication, but to request it only when the path matches specific URL

3 REPLIES 3

Simon_Blakely
F5 Employee
F5 Employee

Simon_Blakely
F5 Employee
F5 Employee

SSL::renegotiate

 

provides a suitable example.

Bill_at_F5
F5 Employee
F5 Employee

This is a good use case for APM's "Per Request Policy" feature. You can create URL branches which require authentication and portions of the site which does not. This could also enable "step-up" authentication use cases where access to certain parts of a site could require stronger authentication.

 

On-Demand Cert Authentication or ODCA is an option in a Per Request Policy.

 

On Demand Certificate Authentication

https://techdocs.f5.com/en-us/bigip-15-1-0/big-ip-access-policy-manager-authentication-methods/on-de...

 

How Step-up Authentication works:

https://techdocs.f5.com/en-us/bigip-15-1-0/big-ip-access-policy-manager-per-request-policies/using-s...

 

Step-up Authentication with Client Certificate example:

https://techdocs.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-authentication-sso-13-0-0/2...