Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

Smart Card Login to F5 Web Management

Hi,

I have an F5 hooked up to LDAP (Active Directory) and authenticating users for various web services behind the F5 and also authenticates users logging into the F5 management GUI. Smart Cards are used for accessing all websites and works fine.

My question, is it possible to log into the F5 GUI Management with the smart card instead of having users enter their ldap username/password combination?

Thanks!

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

F5 Supports ClientCert - LDAP natively in 12.0, its available as an option when configuring system authentication user source.

Also, providing smartcard access for privileged user access to other network devices and systems is possible with APM.

A users password would never be needed. Any value can be extracted from the X509 attributes on the smartcard certificate, and compared in an LDAP query.

0
Comments on this Answer
Comment made 06-Apr-2016 by eric 273
I think you're missing what i'm after, i'm looking to use a smart card to login to the F5 management console, not any resources behind the F5. I have the F5 hooked up to LDAP for user authentication, but the user still has to provide username/password to manage the F5 itself.
0
Comment made 06-Apr-2016 by Michael J
Yes, you can use "ClientCert - LDAP" for Management Access, which also means SmartCards. No username or password required. It will validate an arbitrary X509 attribute against your AD/LDAP to validate the user. System => Users => Authentication => Change => User Directory => Select "Remote - ClientCert LDAP". Configure as needed. You can also layer the F5 in front of itself for extra validation of privileged user access with full APM. This is a standard configuration for our Federal customers.
0
Comment made 08-Apr-2016 by eric 273
My Apologies! This is exactly what I was looking for. A follow up question. Right now I have an access policy that does the certificate parsing, resource assigning, irules, etc for a webtop/vpn tunnel. Is it possible to pass that information I've already validated from that Access Policy and authenticate into the F5 or other F5s behind the tunnel? The "Remote APM Based" mode looks promising, but because I'm using a standard/full APM for the tunnel, the APM does not get re-evaluated if I hit the resource across the tunnel. Is it possible to maybe use an irule or some other mechanism to pass the client certificate information along for System Authentication from a standard Access Policy? Hopefully this question makes sense.
0
Comment made 09-Apr-2016 by Michael J
The short answer is no, with a side answer of sort-of. There are ways, but I would recommend working with your account team on that.
0
Comment made 11-Apr-2016 by eric 273
Ha, ok. Thanks for the help.
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Not yet. Got side tracked on other security stuff. Funny that PKI just came up in Govt meeting and they said we had until 30NOV to implement it...lol. They have no clue the amount of work that entails. We use Weblogic for some of our Web apps and they use bigip and direct server access. So we are updating all of our DOD certs and then we will focus on PKI. Doing the portal access for apps will be a piece of cake, it is the management console that is causing issues. We have procured all new bigip virtual devices and once they get in place we will get back to PKI. We cannot upgrade to version 13x due to our old devices cannot support it. F5 was supposed to be working on CAC and PKI stuff last time I talked to them.

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Yes, it is possible, but not natively on the F5. We do something simliar in our organization using a radius back end that uses the combined password and token as the password.

-1
Comments on this Answer
Comment made 05-Apr-2016 by eric 273
Thanks for the info. If you are using smart cards, at what point does the password get provided/come into play. I've seen things where you can do form submissions to the F5, but obviously don't want to have to provide a password as it defeats the purpose.
0
Comment made 05-Apr-2016 by Greg Labelle 242
Hmm, thinking a bit more, smart cards would be difficult. Token based mechanisms are easily supported through radius, there's no mechanism to integrate the smart card that way. The only way I can think to make this work is not a good or recommended method but you could potentially use an iRule data group to store usernames/passwords, and associate them to a smart card identifier. You could then likely use the form method in APM to SSO into the management GUI. Again, NOT a really good option.
-1
Comment made 05-Apr-2016 by eric 273
I assume you would have to have reversible encryption on in the Active Directory environment for this to work. Not an option for us, but probably COULD work like you said, but not a great option. I'll bug some of the F5 guys and see whats possible and post back if i find anything else. Appreciate it!
0
Comment made 28-Jun-2016 by hejman@uscg 2
I was told by F5 that this is not a supported option (smart card / PKI authentication to management console). I had been working on this and was able to get the pki cert to be read from smart card, but getting 'stuck' back at the local login screen. Not sure if this is even possible without a full APM running (we only have a 'limited mode' license. Let me know if anyone else has heard anything regarding this initiative. We have a DOD task order for PKI looming..... Thanks in advance
0
Comment made 11-Jul-2016 by hejman@uscg 2

Ok, I retract the above as F5 support finally confirmed they do support smart card authentication in 11.6 for management console. In the 12.0.x release, it will allow the ability to pull data out of users certs from arbitrary certificate fields. Once we do the upgrade, I will test our PKI-Cert authentication process and update with results. If anyone else in the DOD realm is doing or planning for PKI; please let me know. Thanks

0
Comment made 29-Aug-2016 by hejman@uscg 2

finally got one of our BigIPs up to 12.1.0. Still having issues with our management console using PKI. I can get it to read the cert on a DOD token and prompt for PIN, but cannot get it to login to console. Any idea's? Any other DOD folks working on this initiative?

thanks

0
Comment made 26-Sep-2017 by LoyalSoldier 106

Hi hejman,

Did you ever get the PKI/Smart Card login working both with other devices and also to the management console? If so, can you provide guidance? Looking to test it in our environment.

Thanks

0