client certificate authentication
4 TopicsTrouble with Smart Card Login to the F5 Web Management UI
I've read https://devcentral.f5.com/questions/smart-card-login-to-f5-web-management and https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-user-account-administration-12-0-0/6.html but I'm having trouble getting smart cards to work to login to the web management console of the F5 itself. We are a Active Directory shop (2012), and if we need to tweak our Smart Card certs for this, we can. I can get the management site to verify the client cert, but no authentication happens--you just land at the login page (where you can enter name/password, and it successfully authenticates, but that defeats the purpose). I've uploaded our internal root CA certificate to the Apache Certificates store, and configured httpd as follows (note: the GUI for cert-LDAP piece ALWAYS turns on OCSP checking, regardless of the setting--this is really annoying): sys httpd { auth-pam-idle-timeout 1800 log-level debug ssl-ca-cert-file /Common/InternaCA-cert ssl-ciphersuite DEFAULT:!3DES:!LOW:!MD5:!EXPORT ssl-verify-client require ssl-verify-depth 20 } And then have tried several variations on the following (the subject of our Smart Card certs is the DistinguishedName, and we have the userPrincipalName in the subject alternate name-these accounts don't have email addresses). The accounts/domains are sanitized in the code below: auth cert-ldap system-auth { bind-dn "CN=LDAP Runner,OU=Other,OU=Users-Internal,DC=contoso,DC=com" bind-pw BINDPASSWORD check-roles-group enabled debug enabled login-attribute sAMAccountName login-name userPrincipalName search-base-dn OU=Users-Internal,DC=Contoso,DC=com servers { dc8.contoso.com } ssl-cname-field san-other ssl-cname-otheroid 1.3.6.1.4.1.311.20.2.3 sso on } I've tried combinations of the CN and OID for the UPN. Watching the tcpdump traffic, I can see that there's no LDAP traffic at all (unless you enter the user name and password in the forms). The httpd logs aren't showing anything that seems useful, though lots and lots of: Sep 23 18:04:30 F502EU err httpd[21790]: [error] [client 127.0.0.1] AUTHCACHE PAM: user 'admin' - not authenticated: Authentication failure Which corresponsds to lots and lots of: Sep 23 19:10:19 F502EU err httpd[22289]: [error] [client 127.0.0.1] AUTHCACHE PAM: user 'admin' - not authenticated: Authentication failure Sep 23 19:10:19 F502EU info httpd(pam_audit)[22289]: User=admin tty=(unknown) host=127.0.0.1 failed to login after 1 attempts (start="Fri Sep 23 19:10:17 2016" end="Fri Sep 23 19:10:19 2016"). What am I missing?375Views1like0Comments