APM Certificate authentication - DENY for users who's cert subject does notmatch the regexp grab

Question

Trying to restrict certificate authentication for specific users - &nbsp;
Certificate Subject CN=lab.username - the 'lab.' is the unique piece.&nbsp;
I'm using this to grab the username in a variable assign:
regexp {(?x)(CN)=lab.([^,]+)} [mcget {session.ssl.cert.subject}] match CN USER; return $USER&nbsp;
IF a certificate not from lab comes across (CN=Username) I want to deny.&nbsp;
The sessions are coming in using clientless mode.  &nbsp;
I've tried a branch rule on the variable assign using the regexp as it appears above but it doesn't deny the CN=Username certificates.&nbsp;
Can I do a match on the certificate authentication for the "CN=lab." only and fail the rest?&nbsp;
thanks!&nbsp;

ruggerfly1 · Answer

Update - any feedback on this approach:&nbsp;
After the certificate Inspection I added an Empty box, it is using this expression:
expr { [mcget {session.ssl.cert.subject}] contains "lab" }, which catches the lower case "lab" in the full username, seems to be working.&nbsp;
Has anyone used this approach?&nbsp;

Forum Discussion

APM Certificate authentication - DENY for users who's cert subject does notmatch the regexp grab

1 Reply

Recent Discussions

Failed to convert character dclid=%EDclid!

ASM - Parent policy vs OWASPcompliance

Rewrite uri translation not working

CONNECTION IS LOST DUE TO SELF IP IS DELIVERED

APM OCSP Responder Issues

Related Content

F5 BIG-IP Access Policy Manager (APM) - Google Authenticator and Microsoft Authenticator

APM Clientless certificate authentication

BIG-IQ Client Certificate (PKI) Authentication

Doing mTLS Authentication per URL

Re: Management Certificate