Forum Discussion
Kevin_Stewart
Oct 10, 2013Employee
The easiest thing would probably be to create two client SSL profiles: one with client authentication and one without, then create an address-based data group that contains your whitelist IPs/IP subnets. Here's what the iRule might look like:
when CLIENT_ACCEPTED {
if { [class match [IP::client_addr] equals my_ip_dg] } {
SSL:profile noauth_clientssl
} else {
SSL::profile auth_clientssl
}
}
where "my_ip_dg" is the name of the arbitrarily-named address-based data group, and "noauth_clientssl" and "auth_clientssl" are the names of the client SSL profiles - no auth and auth respectively.