Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

On-Demand Cert Auth Fallback

Hi All!

i have an APM Policy with Smartcard Authentication. if no smartcard/certificate detected i want to configure fallback action to redirect to some explanation url on some web site.

i have tried to create a redirect irule and set it as irule event after On-Demand Cert Auth object (of course link it as resource on the virtual server) but it did not worked (not redirect when no smartcard inserted). i have also tried to create a webtop link and set it as a resource after On-Demand Cert Auth , but it did not worked also.

what is the right way to do it?

Thank,

Aviv Hassidim

1
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

To force an actual HTTP redirect to another URL, the easiest option might be to create a redirect ending in the visual policy:

  1. In the visual policy, click the Edit Endings button.

  2. Click the Add Ending button.

  3. In the new ending properties, select Redirect and specify a URL. Save.

  4. After the fallback branch of your on-demand cert auth agent, select the Redirect ending.

1
Comments on this Answer
Comment made 26-Oct-2015 by Aviv 429
Hi Kevin! thanks for your answer. i tried the redirect ending as you wrote and it not worked for me . just to clarify, i want that if someone forgot to insert smartcard the apm will redirect his browser to some web page . what am i doing wrong? how can i debug it? thanks, Aviv Hassidim
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

In your On-Demand Cert Auth agent, do you have it set to Request or Require? Fallback will only work if you have it sent to Request.

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Thanks again Kevin!

Is it secure to change the On-Demand Cert Auth to request? what is the different between Request to Require?

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

It's the difference between a fail open connection and fail closed connection. The Require option provides a fail closed connection. If for any reason the client cannot satisfy the certificate request, or the client's certificate cannot be validated or trusted, the connection is closed. The Request option, however, allows the connection to proceed. This option also allows you to apply additional logic after the SSL handshake, as in to perform an HTTP redirect on validation/trust failure.

The "is it secure" question is relative to what you're doing in the fallback branch. The SSL handshake will complete regardless, so you must do something in that fallback branch that prohibits further access.

0
Comments on this Answer
Comment made 26-Oct-2015 by Aviv 429
Ok thanks, i have change it to request and in the fallback ending i have change it to redirect. i'm trying to get into the web site without smartcard and i get blank page.(Turn on TLS 1.0, TLS 1.1, and TLS 1.2 in Advanced settings and try connecting to ...etc) the ltm logs are: ssl_shim_vfycerterr:4401: application verification failure (46) warning tmm2[11602]: 01260009:4: Connection error: ssl_select_suite:6571: TLS_FALLBACK_SCSV with a lower protocol (86) warning tmm2[11602]: 01260009:4: Connection error: ssl_select_suite:6571: TLS_FALLBACK_SCSV with a lower protocol (86) warning tmm2[11602]: 01260009:4: Connection error: ssl_hs_rxhello:7103: unsupported version (40) what is wrong? Aviv
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

The error implies an issue with the SSL handshake, and not specifically the client cert.

Do you also have the client SSL profile configured to request or require the client certificate?

What does your client SSL profile's Cipher option look like?

What type of client are you using?

Do you see a prompt for client certificate?

0
Comments on this Answer
Comment made 27-Oct-2015 by Aviv 429
Hi kevin! i have changed the ssl profile to request as you said and it is working. you are an angel, Thanks for all, Aviv Hassidim
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

No problem. So technically speaking, you don't need to set anything in the client SSL profile if you're using an APM On-Demand Cert Auth agent. The client SSL profile Certificate Authentication option should be set to Ignore.

0
Comments on this Answer
Comment made 28-Oct-2015 by Aviv 429
So Just to be clear the On-Demand Cert Auth should configured to "request" and the client SSL profile Certificate should be set to ignore? what is the different between request to ignore practically? Thanks, Aviv
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

So Just to be clear the On-Demand Cert Auth should configured to "request" and the client SSL profile Certificate should be set to ignore?

Correct.

what is the different between request to ignore practically?

Ignore doesn't ask for a client cert and Request asks for one but fails open if the certificate is missing or invalid.

The point is that you shouldn't have TWO places where you're asking for a client certificate. The Client SSL profile will perform mutual authentication in the initial SSL handshake, while the APM On-Demand Cert Auth agent will perform an SSL renegotiation to "step-up" to mutual authentication. Some browsers can handle both, but it's never advisable to set it in both places.

0
Comments on this Answer
Comment made 12-Aug-2016 by Joe Lupo 54

Kevin,

You mentioned being able to insert HTTP request in by adjusting both the Client SSL & Access Policy On-Demand Cert Auth to "request". So I am fairly new to F5 (so bear with me), and we are also using Smart Card login, so when this On demand Cert Auth fails would there be a way to redirect users to a web page of our choosing?

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

JoeLupo73, first things first, I was saying that you should NOT set Request or Require in both the client SSL profile and the APM On-Demand Cert Auth agent. Only do it in one. If you select Request or Require in the client SSL profile, mutual authentication happens in the first SSL handshake with the client. The certificate data will still be accessible to the access session. If you set the client SSL profile to Ignore, and then set the APM On-Demand Cert Auth agent to Request or Require, mutual authentication will happen in a renegotiated SSL handshake after the initial handshake. This renegotiated handshake also has the benefit of being completely encrypted with the session keys from the first handshake, so an eavesdropper cannot see who is logging into your application.

In both cases though, the Require option is a hard fail. If certificate validation fails, or the user simply doesn't present a certificate, the session is closed. The Request option is a soft fail. If certificate validation fails, or the user simply doesn't present a certificate, the session is maintained and you can then make additional decisions, like passing HTML content to the user.

0