I have an F5 hooked up to LDAP (Active Directory) and authenticating users for various web services behind the F5 and also authenticates users logging into the F5 management GUI. Smart Cards are used for accessing all websites and works fine.
My question, is it possible to log into the F5 GUI Management with the smart card instead of having users enter their ldap username/password combination?
F5 Supports ClientCert - LDAP natively in 12.0, its available as an option when configuring system authentication user source.
Also, providing smartcard access for privileged user access to other network devices and systems is possible with APM.
A users password would never be needed. Any value can be extracted from the X509 attributes on the smartcard certificate, and compared in an LDAP query.
Not yet. Got side tracked on other security stuff. Funny that PKI just came up in Govt meeting and they said we had until 30NOV to implement it...lol. They have no clue the amount of work that entails.
We use Weblogic for some of our Web apps and they use bigip and direct server access. So we are updating all of our DOD certs and then we will focus on PKI. Doing the portal access for apps will be a piece of cake, it is the management console that is causing issues.
We have procured all new bigip virtual devices and once they get in place we will get back to PKI.
We cannot upgrade to version 13x due to our old devices cannot support it. F5 was supposed to be working on CAC and PKI stuff last time I talked to them.
Yes, it is possible, but not natively on the F5. We do something simliar in our organization using a radius back end that uses the combined password and token as the password.
Ok, I retract the above as F5 support finally confirmed they do support smart card authentication in 11.6 for management console. In the 12.0.x release, it will allow the ability to pull data out of users certs from arbitrary certificate fields. Once we do the upgrade, I will test our PKI-Cert authentication process and update with results. If anyone else in the DOD realm is doing or planning for PKI; please let me know.
finally got one of our BigIPs up to 12.1.0. Still having issues with our management console using PKI. I can get it to read the cert on a DOD token and prompt for PIN, but cannot get it to login to console. Any idea's? Any other DOD folks working on this initiative?
Did you ever get the PKI/Smart Card login working both with other devices and also to the management console? If so, can you provide guidance? Looking to test it in our environment.