09-Aug-2018
06:38
- last edited on
02-Jun-2023
08:33
by
JimmyPackets
Hi,
I am trying to implement machine certificate check for Edge Client users.
The machine certificate is stored in the default MY store and I assume I have configured the APM action correctly with: MY / LocalMachine / CA Bundle / YES to right elevation prompts.
The connection fails always on machine certificate check with these entries in APM log:
debug /Common/ap_edge_client:Common:4d76a881: MachineCert agent: ENTER Function executeInstance
info /Common/ap_edge_client:Common:4d76a881: Executed agent '/Common/empty_act_machinecert_auth_ag', return value 0
info /Common/ap_edge_client:Common:4d76a881: Following rule 'fallback' from item 'Machine Cert Auth' to item 'Log F'
info /Common/ap_edge_client:Common:4d76a881: Session variable 'session.check_machinecert./Common/empty_act_machinecert_auth_ag.result' set to '-2'
info /Common/ap_edge_client:Common:4d76a881: Session variable 'session.check_machinecert.last.result' set to '-2'
Edge client log file contains these entries:
0,2018-08-09,11:04:34:936,APPCTRL,7384,8484,Starting pending session ID: 4d76a881
48,2018-08-09,11:04:35:431,APPCTRL,7384,8484,URL: https:///my.policy
48,2018-08-09,11:04:36:330,APPCTRL,7384,8484,Cookie MRHSession not set
1,2018-08-09,11:04:36:498,APPCTRL,7384,8484,Authentication failure
1,2018-08-09,11:04:36:498,APPCTRL,7384,8484,Authentication failed - redirect (0x80070005)
0,2018-08-09,11:04:36:498,APPCTRL,7384,8484,Failed to establish session 4d76a881
I set the logging levels for this APM policy to debug for everything, but still none of the logs tell me what could be causing the problems.
Is it my VPE action setting, is it perhaps something with CA, or the client rights?
How should I identify the root cause here? What more can I do more to troubleshoot beside trying every possible set of settings in the APM machine certificate check action?
Any help really appreciated! thx.
10-Aug-2018 06:14
Hi,
Machine certificate check require Admin right on the client side. That's why you should deploy "Machine Certificate Checker" within the Edge Client and install EC with admin rights.
Then, in addition to the Trusted CA, you need to add Common Name or Issuer matching text to the Machine Certificate Check in the VPE.
10-Aug-2018 06:48
Hi,
I did not mention it, but all that I have done already. The checker is installed together with the EC and the whole thing has been installed with admin rights.
In APM policy machine certificate check action I do have the 'Match subject CN with FQDN' set to YES and even the 'Match Issuer' set to the correct string.
I mean, I am pretty sure I managed to configure everything based on the available documentation. My question here was more the direction... if it does not work for whatever reason, what is the way to find out why is it not working?
I cannot imagine there is no way to somewhere see the real actual reason of the error, it must be written somewhere.. I just don't know where, couldn't find it yet.
Looks like I will have to open a ticket with F5 support.
10-Aug-2018 06:59
Hi,
You can check the log file on the client itself. It will help you to understand the problem.
You can also download F5 CTU (Client Troubleshooting Utility) and run it on the client.
https://support.f5.com/csp/article/K12444
10-Aug-2018 07:15
Hi there,
Log file from the client I checked already, it's in my original post above. Not really helpful the messages in it.
But I can give a try to the CTU, I thought it would produce just the same type of logs as I already have, but I will give it a try and let's see.
thx for the tip.
10-Aug-2018 06:14
Hi,
Machine certificate check require Admin right on the client side. That's why you should deploy "Machine Certificate Checker" within the Edge Client and install EC with admin rights.
Then, in addition to the Trusted CA, you need to add Common Name or Issuer matching text to the Machine Certificate Check in the VPE.
10-Aug-2018 06:48
Hi,
I did not mention it, but all that I have done already. The checker is installed together with the EC and the whole thing has been installed with admin rights.
In APM policy machine certificate check action I do have the 'Match subject CN with FQDN' set to YES and even the 'Match Issuer' set to the correct string.
I mean, I am pretty sure I managed to configure everything based on the available documentation. My question here was more the direction... if it does not work for whatever reason, what is the way to find out why is it not working?
I cannot imagine there is no way to somewhere see the real actual reason of the error, it must be written somewhere.. I just don't know where, couldn't find it yet.
Looks like I will have to open a ticket with F5 support.
10-Aug-2018 06:59
Hi,
You can check the log file on the client itself. It will help you to understand the problem.
You can also download F5 CTU (Client Troubleshooting Utility) and run it on the client.
https://support.f5.com/csp/article/K12444
10-Aug-2018 07:15
Hi there,
Log file from the client I checked already, it's in my original post above. Not really helpful the messages in it.
But I can give a try to the CTU, I thought it would produce just the same type of logs as I already have, but I will give it a try and let's see.
thx for the tip.
29-Jan-2019 05:29
Hi Martin Vlasko,
Any update regarding this issue ? I have the same result using Machine Cert Auth, the evaluation of the APM profile is failed and point directly to 'fallback' I get this line on repport:
<< machinecert_auth_ag.result' set to '-2'>>
Do you have the list of machinecert_auth_ag.result value and there meanings ? Regards,
29-Jan-2019
06:26
- last edited on
19-Dec-2022
15:53
by
JimmyPackets
Hi CentOne,
Yes it works for me now, I had to do a workaround for CRL check.
If you are also using a CRL for "Certificate Revocation List (CRL)" within CA profile (Local Traffic > Profiles > SSL > Certificate Authority), then do following:
Then go to Access Policy > AAA Servers > CRLDP, and create new profile here (choose timeout values that fit your environment):
Then go to your APM's policy and under the action "Machine Cert Checker" configure following:
Right after this action insert "Variable Assign" action to policy and assign two variables:
Right after this action insert "CRLDP Auth Agent" action to policy:
And that's it, works for me.
FYI, about the CRLDP workaround I learned from Kevin's post here: https://devcentral.f5.com/questions/machine-certificate-revocation-checksanswer160001
Let me know if you are also successful with this configuration.
11-May-2022 03:42
Hi ,
I tried same config however getting below error and response in APM session logs.
(null):Common:c8a55694: CRLDP Auth agent: CRL lookup failed for LDAP url 'http://abc.dns.com/CDP/filename.crl' reason 'Bad HTTP response status'
Could you suggest how to resolve this issue, Looks F5 not able to resolve domain to CRL server Ip address
Regards,
Sushil Kolekar
31-Jan-2019 05:50
Hi Martin Vlasko,
Many thanks for your return. Could you please confirm me the extension of the certificates used on the Machine ? on the CA Profile on the APM ?
I have used : Regarding the issuer: CN=pki,DC=demo,DC=lab,DC=net <> pki.demo.lab.net certificate client side with .pxf certificate APM side with .crt
the cert machine auth still failed
31-Jan-2019 06:43
Hi there,
I think the extension does not matter anymore, once you import the certificate in to the cert store.
On F5 I always work with PEM format.
But maybe one more hint, in LTM SSL client side profile for this VS, the whole section "Client Authentication" is NOT enabled, because it is handled by APM.
And perhaps try to make it work first without the CRL check, just to make sure the authentication works.. then you can add the config for CRL checking - in case you need it.
04-Feb-2019 03:02
Hi Martin,
The basic configuration of Machine Cert auth is working now...I have used the PEM format as you have recommended.
The machine certificate should match a SAN value on the APM auth Agent: for example 'machineX.f5trn.local' I have used the following syntax but it doesn't work for me : .DNS Name=.f5trn.local
Any advise ?
Best regards,
04-Feb-2019 04:39
Hi,
It probably depends on what exactly you have in the SAN field of your client certificate.
The F5 help suggests using following regex:
.*DNS Name=([^,]+).*
With the regex you are trying to match and return the SAN value which APM then checks against machine's FQDN. Anything that is found within the round brackets will be returned and compared with FQDN. So in your case I would try something like:
.*DNS Name=(.*\.f5trn\.local).*
or
.*DNS Name=([^,]+\.f5trn\.local).*
It depends on how many values you have in the SAN field, if there are commas, or if it's just a single value.
Perhaps try to dump the certificate into APM log file to see the raw data which should help you figure out the correct regex syntax for your case.
06-Feb-2019 08:15
Hi Martin,
Thank youf for your help. It works!
Regards,
07-Feb-2019 03:19
Happy to hear it works and that I was able to help you 🙂