Trouble with Smart Card Login to the F5 Web Management UI
I've read https://devcentral.f5.com/questions/smart-card-login-to-f5-web-management and https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-user-account-administration-12-0-0/6.html but I'm having trouble getting smart cards to work to login to the web management console of the F5 itself. We are a Active Directory shop (2012), and if we need to tweak our Smart Card certs for this, we can. I can get the management site to verify the client cert, but no authentication happens--you just land at the login page (where you can enter name/password, and it successfully authenticates, but that defeats the purpose). I've uploaded our internal root CA certificate to the Apache Certificates store, and configured httpd as follows (note: the GUI for cert-LDAP piece ALWAYS turns on OCSP checking, regardless of the setting--this is really annoying): sys httpd { auth-pam-idle-timeout 1800 log-level debug ssl-ca-cert-file /Common/InternaCA-cert ssl-ciphersuite DEFAULT:!3DES:!LOW:!MD5:!EXPORT ssl-verify-client require ssl-verify-depth 20 } And then have tried several variations on the following (the subject of our Smart Card certs is the DistinguishedName, and we have the userPrincipalName in the subject alternate name-these accounts don't have email addresses). The accounts/domains are sanitized in the code below: auth cert-ldap system-auth { bind-dn "CN=LDAP Runner,OU=Other,OU=Users-Internal,DC=contoso,DC=com" bind-pw BINDPASSWORD check-roles-group enabled debug enabled login-attribute sAMAccountName login-name userPrincipalName search-base-dn OU=Users-Internal,DC=Contoso,DC=com servers { dc8.contoso.com } ssl-cname-field san-other ssl-cname-otheroid 1.3.6.1.4.1.311.20.2.3 sso on } I've tried combinations of the CN and OID for the UPN. Watching the tcpdump traffic, I can see that there's no LDAP traffic at all (unless you enter the user name and password in the forms). The httpd logs aren't showing anything that seems useful, though lots and lots of: Sep 23 18:04:30 F502EU err httpd[21790]: [error] [client 127.0.0.1] AUTHCACHE PAM: user 'admin' - not authenticated: Authentication failure Which corresponsds to lots and lots of: Sep 23 19:10:19 F502EU err httpd[22289]: [error] [client 127.0.0.1] AUTHCACHE PAM: user 'admin' - not authenticated: Authentication failure Sep 23 19:10:19 F502EU info httpd(pam_audit)[22289]: User=admin tty=(unknown) host=127.0.0.1 failed to login after 1 attempts (start="Fri Sep 23 19:10:17 2016" end="Fri Sep 23 19:10:19 2016"). What am I missing?
APM On-Demand Cert Auth agent resets the connection when handshake timeout occurs.
Platform: 13.1 SSL client profile: Client Certificate set to Ignore APM Policy: On-demand Cert auth agent rule on first line and set to «Request» In my scenario, I using smartcard with APM policy and On-demand Cert auth Agent. For example, I choose the certificate for authentication but do not have time to enter the PIN-code (smartcard) and handshake timeout occurred (default is 10 sec.). After that, a blank page appears in the browser (Ive tested IE and Chrome last version). The user may think that the service is unavailable. I`ve found the workaround: extend handshake timeout in Client SSL profile. Nevertheless, according to F5 knowledgebase it is not good practice, because of secure attack risk. However, when I set SSL Client Profile to ask certificate (Clint Certificate Request option) - the problem does not recur. I consciously set handshake timeout to 1 sec. Does this mean that the APM On-demand Cert Auth Agent is not working correctly?Kerberos SSO fails when user required for smartcard.
Hi all, So basicly im doing APM access to portal resource (rewrite) that is done with mobile certificate translated to KDC (After upn extraction+AD query). After sso mapping is done KDC kicks in and fails . I found out that if i remove smartcard auth requirment in my domain KDC gets a valid ticket and SSO is successfull. What am i missing?
APM - Collecting smartcard session variable
Hello: successfully deployed SSLVPN solution using smartcard to a government customer. All works great except when the client uses SmartCard the username is not captured in APM session logs. It is only visible when the debug mode is turned on - this create a bloated and unnecessary information. What are my choices for APM to exclusively capture a particular session variable on successful login and perhaps add it to default session information? Thanks in advance,