On-Demand certificate authentication

Question

On-Demand certificate authentication&nbsp;
i have an apm policy that use On-Demand certificate authentication (smartcard)&nbsp;
win8,10 are always authenticate without problem with ie11 or chrome.
some windows 7 sp1 clients can authenticate and some even do not get prompt of certificate.
the same win7 computers with the same smartcard can authenticate to other sites that request smartcard.&nbsp;
this is the log from the apm event log:
Access_Profile=/Access/Com_Auth_Apps_Portal;Partition=Access;Session_ID=b64a0179;Client_IP=100.219.226.2;State=Tel Aviv;Country=IL;Continent=AS;Virtual_IP=172.126.50.12;Listener=/Access/Portal_Com_VS;Reputation=Unknown;"
Access_Profile=/Access/Com_Auth_Apps_Portal;Partition=Access;Session_Id=b64a0179;Policy_Rule_Caption=fallback;Current_Node=On-Demand Cert Auth;Next_Node=Deny;"
Access/Com_Auth_Apps_Portal;Partition=Access;Session_Id=b64a0179;Access_Policy_Result=Logon_Deny;"
Client_Hostname=;Client_Type=IE;Client_Version=11;Client_Platform=Win7;Client_CPU=WOW64;Client_UI_Mode=Full;Client_JS_Support=1;Client_Activex_Support=1;Client_Plugin_Support=0;"&nbsp;
i thought of windows updates and tried to compare updates from computer that work vs not working ,there were a lot of updates that do not exist in the working win7 computer .
i tried to remove some without luck.
maybe someone know if there is a know issue about this problem?
maybe it is a cipher issue in the ssl client profile?&nbsp;
any help will be appriciated.&nbsp;
Thanks,&nbsp;
Aviv Hassidim&nbsp;

amolari · Answer

Hi&nbsp;
I think the only way to troubleshoot this is a tcpdump. Look if the SSL handshake goes to the point that the Bigip asks for client cert auth. If it does and you do not see the client presenting a certificate, verify if there is any issue with the certificate propagation to the user cert store.&nbsp;
Alex&nbsp;

aviv · Answer

the problem was that my cert have diffrent Advertised Certificate Authoritie than the over user cert ,and when i have changed in the ssl client profile the Advertised Certificate Authorities cetficate to match the over user cert it works.
now i want Coexistence of Advertised Certificate Authorities , i mean to have 2 Advertised Certificate Authorities for the same ssl client pofile to support both smartcards.
how can i do it?&nbsp;
Thanks,
Aviv Hassidim&nbsp;

amolari · Answer

you can bundle (append/paste the 2 certificates) them when creating a certificate in the SSL certificate GUI menu.&nbsp;

Forum Discussion

On-Demand certificate authentication

3 Replies

Recent Discussions

iRule help masking IBM host URL/URI

Need advise to setup a policy on F5

Advise on setting up IRULE

Help with URL Masking

Import PKCS 12 SSL to Device Certificate via API/Script or CLI on BIG-IP

Related Content

APM Clientless certificate authentication

F5 BIG-IP Access Policy Manager (APM) - Google Authenticator and Microsoft Authenticator

BIG-IQ Client Certificate (PKI) Authentication

Doing mTLS Authentication per URL

Re: Management Certificate