Forum Discussion

Ashar_174098's avatar
Ashar_174098
Icon for Nimbostratus rankNimbostratus
Oct 29, 2014

How to configure smart card authentication on F5 IDP?

Could anyone please let me know How to configure smart card authentication on F5 IDP? I have a callmanager sso enabled with F5 . And when I logged in to a windows machine using smart card, I need my cucm should redirect to F5 IDP and ask for the smart card pin. For this what configuration is required on F5 IDP . SO that when i use smart card my cucm should redirect to IDP and ask for the smart PIN.Please help

 

Regards, Asha

 

6 Replies

  • R_Eastman_13667's avatar
    R_Eastman_13667
    Historic F5 Account

    Configure an ssl client profile for the IDP virtual server. Under client authentication select request or require for Client Certificate. You also need an ssl server certificate for the URL of your IDP. You specify this under the ssl client profile under Certificate Key Chain. Apply the ssl client profile to the virtual server. You might also need to configure an OCSP profile and apply it to the virtual server and create a certificate bundle for the trusted certificate authorities. You should also have a decision box in your APM access policy that check the cert status and grants/denies access based on this.

     

  • Hi Eastman,

     

    Thanks for your reply. I have created OCSP profile . But while creating this profile I have to select some certificate for the following fields.. Trusted Certificate Authorities and Advertised Certificate Authorities. I am really not sure what certificates i should select here. So i have selected the CA root certificate for Advertised Certificate Authorities, which i have uploaded to the certificate list and default certificate for Trusted Certificate Authorities. Could you please confirm If I am doing something wrong. If you can explain what exactly these fields need , it will be very helpful.

     

    Thank you so much for your help.

     

    Regards, Asma

     

  • R_Eastman_13667's avatar
    R_Eastman_13667
    Historic F5 Account

    Trusted Certificate Authorities is a certificate or a bundle of certificates that denote only the CA's that you will accept client certificates from. Any other certificates that are presented to the F5 are rejected, like self signed certs. Advertised certificate authorities are a list of CA's that are sent to the client so the client can respond with a certificate issued by one of the advertised CA's.

     

    • Ashar_174098's avatar
      Ashar_174098
      Icon for Nimbostratus rankNimbostratus
      Hi Eastman Thanks a lot for helping me in this issue... I understood what these fields referring.... But I would just need to find out how can I get the certs you mentioned... I can see a CA-BUNDLE in the certificate list.. This I can select for trusted certificate authority and the CA Root certificate I can select for the advertised certificate authorities....please correct me if I am wrong.... Regards, Asma
    • Ashar_174098's avatar
      Ashar_174098
      Icon for Nimbostratus rankNimbostratus
      With your inputs I understood what exactly those fields about.. Could you please shed some light on the above