Forum Discussion

eric_156978's avatar
Mar 30, 2015

On-Demand Cert Auth Error Capturing

Hi,

 

I have an F5 terminating SSL and an access policy that uses "On-Demand Cert Auth" to get a client certificate, validate it, and authenticate it against an Active Directory server.

 

This works great, however, I'd like to be able capture any errors that may be occurring such as client didn't select a cert, client doesn't have any certs, client sent a bad cert, etc.

 

Coming from an IIS world, these would normally be handled by presenting the user with an error page and error number such as 403.7. Is this possible with an access policy? Ideally i'd like to use an irule and ship the errors out to my high speed logging pool.

 

Thanks!

 

5 Replies

  • kunjan's avatar
    kunjan
    Icon for Nimbostratus rankNimbostratus

    You can have an 'logging' agent in the fallback path to log session.ssl.cert.valid and modify the 'Edit Endings' in the VPE to present customized error page.

    Or can have iRule to have more custom response using ACCESS:respond

    when ACCESS_POLICY_COMPLETED {
        set policy_result [ACCESS::policy result]
        switch $policy_result {
        "allow" {
         Do nothing
        }
        "deny" {
            ACCESS::respond 401 content "Error: Failure in Authentication" Connection Close
        }
        }
    }
    

    https://devcentral.f5.com/wiki/iRules.ACCESS__respond.ashx

    • eric_156978's avatar
      eric_156978
      Icon for Cirrus rankCirrus
      Hi kunjan, Thanks for the info. I didn't realize "ACCESS:respond" existed, I think that's what i'll end up using. I tried putting your irule in place, but i can't seem to get it to respond properly or confirm that it is being processed. Steps: 1. Open a new browser session incognito so no cookies/ssl persistence exists. 2. Get prompted for a certificate, purposefully hit cancel to not select client certificate. 3. IE: Page cannot be displayed. Chrome: ERR_CONNECTION_RESET I've tried a few different methods to capture the failure, but every time I try a respond iruile, it seems like the SSL connection bombs out and the page won't present content. The first step in my access policy is a "on demand cert auth" and if it fails, it goes to "deny". Would there be something that needs to be adjusted with the access policy to allow those errors to be captured/handled?
  • You can have an 'logging' agent in the fallback path to log session.ssl.cert.valid and modify the 'Edit Endings' in the VPE to present customized error page.

    Or can have iRule to have more custom response using ACCESS:respond

    when ACCESS_POLICY_COMPLETED {
        set policy_result [ACCESS::policy result]
        switch $policy_result {
        "allow" {
         Do nothing
        }
        "deny" {
            ACCESS::respond 401 content "Error: Failure in Authentication" Connection Close
        }
        }
    }
    

    https://devcentral.f5.com/wiki/iRules.ACCESS__respond.ashx

    • eric_156978's avatar
      eric_156978
      Icon for Cirrus rankCirrus
      Hi kunjan, Thanks for the info. I didn't realize "ACCESS:respond" existed, I think that's what i'll end up using. I tried putting your irule in place, but i can't seem to get it to respond properly or confirm that it is being processed. Steps: 1. Open a new browser session incognito so no cookies/ssl persistence exists. 2. Get prompted for a certificate, purposefully hit cancel to not select client certificate. 3. IE: Page cannot be displayed. Chrome: ERR_CONNECTION_RESET I've tried a few different methods to capture the failure, but every time I try a respond iruile, it seems like the SSL connection bombs out and the page won't present content. The first step in my access policy is a "on demand cert auth" and if it fails, it goes to "deny". Would there be something that needs to be adjusted with the access policy to allow those errors to be captured/handled?
  • Hi Eric,

     

    Do you by chance have your On-Demand Auth agent set to "require" instead of "request"? If set to "require" you will get a reset and the SSL handshake will not complete. If set to "request" then if a valid certificate is not present (either no certificate or a wrong certificate) then you will follow the fallback branch and continue with the VPE.

     

    Seth