cancel
Showing results for 
Search instead for 
Did you mean: 

Restrict access to virtual server by IP address and client certificate authentication

Carl_20170911
Nimbostratus
Nimbostratus

I am currently implementing F5 LTM.

I want to restrict access to virtual server by IP address and  client certificate authentication.

 

If the client's IP is not in the address list, then the client can use client certificate authentication.

 

Is it possible?

 

Thanks.

 

6 REPLIES 6

Prakin
Nimbostratus
Nimbostratus

Hi,

You can make use of iRules to identify the client IP address from the data group list configured and you can prevent accessing the VS by clients.

boneyard
MVP
MVP

and add to that irule to switch the client ssl profile to one that requires client certificate authentication if the IP is not on the list and you got what you want. it isn't something you can just configure in the GUI, it will require some iRule code and different profiles.

Carl_20170911
Nimbostratus
Nimbostratus

I have tried the following irule but not work.

 

when CLIENT_ACCEPTED {

set redir 0

if { ! [class match [IP::client_addr] eq EISAllow] } {

log local0. "Dropped connection: client IP [IP::client_addr] is blacklisted."

SSL::enable

set sslenable 0

set redir 1 

SSL::profile Client_Cert_Auth_Policy

#drop

}

you would enable a profile with SSL client auth by default. not enable it in the iRule.

nolipineda
Altostratus
Altostratus

Is it possible to extend this solution to restrict access to specific client certificates?

with iRules everything is possible 🙂

 

if your client certificates contain a certain CN your can request that and compare it with a list of allowed ones.

 

there should be enough examples around how to do this.