Restrict access to virtual server by IP address and client certificate authentication

Carl_20170911 · ‎17-Jan-2020

I am currently implementing F5 LTM.

I want to restrict access to virtual server by IP address and client certificate authentication.

If the client's IP is not in the address list, then the client can use client certificate authentication.

Is it possible?

Thanks.

Prakin · ‎18-Jan-2020

Hi,

You can make use of iRules to identify the client IP address from the data group list configured and you can prevent accessing the VS by clients.

boneyard · ‎18-Jan-2020

and add to that irule to switch the client ssl profile to one that requires client certificate authentication if the IP is not on the list and you got what you want. it isn't something you can just configure in the GUI, it will require some iRule code and different profiles.

Carl_20170911 · ‎20-Jan-2020

I have tried the following irule but not work.

when CLIENT_ACCEPTED {

set redir 0

if { ! [class match [IP::client_addr] eq EISAllow] } {

log local0. "Dropped connection: client IP [IP::client_addr] is blacklisted."

SSL::enable

set sslenable 0

set redir 1

SSL::profile Client_Cert_Auth_Policy

#drop

}

boneyard · ‎27-Jan-2020

you would enable a profile with SSL client auth by default. not enable it in the iRule.

nolipineda · ‎30-Nov-2020

Is it possible to extend this solution to restrict access to specific client certificates?

boneyard · ‎13-Dec-2020

with iRules everything is possible 🙂

if your client certificates contain a certain CN your can request that and compare it with a list of allowed ones.

there should be enough examples around how to do this.

DevCentral

Restrict access to virtual server by IP address and client certificate authentication

DevCentral Featured Member

Khoros Kudos Award 2022