Forum Discussion

Rosieodonell_16's avatar
Mar 25, 2015

iRule needed for setting variables using/checking client certificates

I have user that connect to an appliance and use 2 factor to authenticate. Here is a breakdown:

 

SSL connection to login page -> User is prompted for AD credentials and the AD credentials are verified -> Users are then prompted for OTP verfication, it passes -> access to webtop

 

I would want to implemnet client certificates where users that don't present/give a client cert sign in like normal with OTP. If you have a cert i would like to have a variable set that i can filter on in the access policy to prevent users being prompted for OTP.

 

I found a page below but its not exactly what i need. I need to check the CA and then set a variable that i can call/lookup later in the access policy.

 

https://devcentral.f5.com/wiki/iRules.ClientCertificateCNChecking.ashx

 

Basically i am trying to add an irule that checks for a client cert (one form of 2 factor) or the users have to use OTP/authenticator etc...

 

2 Replies

  • Update: i went into the access policy and added a client cert check and set the virtual server to request a client cert and check for trusted CA. So when it passes it goes to just an active directory login and when it fails it does the whole 2 factor mechanisim. but the feed back i got was that the client cert pop-up my confuse the users. Is there a way to have another webpage that they can go to get clien t checked first for example: user goes to www.page.company.com -> gets client cert prompt -> if passes, gets redirected to normal page with a variable set, or it fails and gets passed with no varriable set. The second page would be SSL as well and would be able to sort the access policy based on that variable?
  • So I went machine cert checking that is built into the policy. So i have the users login into the logon page and have them check off that they want a cert check. If they don't check off they login normally. This worked and met my needs.