client cert
3 TopicsAPM: irule needed to extract Username from Client Cert to use it for AD group query
Hi community, i've recently took over the task to implement Big-IPs in projects and I'm quite comfortable with LTM Tasks, but now I have to solve an APM Problem. Currently the customers mobile devices e.g. tablets are logging in via Edge-Client and after a Client Cert Check, they have to reenter their AD credentials for an AD Auth Check, which also are used for the AD Query to assign ressources based on AD groups. Basicly they want to have the the AD Credential popup removed (yeah, also think it is not very sensibel). My idea to get the group mapping done was to use an iRule to extract the username from the Client Cert and put this into the AD Query. However, since my skill in APM is very limited I don't know of any built-in method, which could handle this and hope someone can direct me in the right direction or providing an iRule which might get the job done. Thanks in advance and hope being able to give solutions back anytime soon. :) DavidSolved740Views0likes2CommentsAPM Session Variable Not Being Cached
F5 Big-IP LTM 11.4.1 HF7, APM The objective was to create an access policy that inspects client certificates for a specific certificate and grant access to resources based on that inspection. I created an access policy that consisted of: * ClientOS rule - to ensure only iOS, Windows and MacOS devices are granted access * Client Inspection rule - to ensure the device is presenting an approved certificate * Logging rule - to log the client certificate Common Name value presented * Message Box rule - to show the end user the client certificate Common Name value presented Because the default Client Inspection rule only checks whether the client certificate is 'valid' I updated the expression syntax to read: expr { [mcget {session.ssl.cert.cn}] =="clientcertcommonname"} There is no issue with the ClientOS rule however the Client Inspection rule fails. Additionally the Logging and Message Box rules do not show the client certificate Common Name value. The Logging rule expression syntax is: Your session client cert Common Name is %{session.ssl.cert.cn}. The Message Box rule expression syntax is: Your session client cert Common Name is %{session.ssl.cert.cn}. I believe the issue is that the session variable session.ssl.cert.cn is not capturing the client certificate Common Name value but I don't know why. Any suggestions/recommendations will be appreciated. Thanks.535Views0likes7Comments