Certificate based authentication based on Client Certificates

Question

Hi,&nbsp;
We have a requirement wherein client laptops would be having a certificate (Client authentication certificate) which should be checked when Clients tries to communicate with the server and this is working. Now, we are going to publish this URL over the internet and we want the same clients to be authenticated on F5 (We have APM license as well).
Just wanted to know, how to proceed and what would be required to get it done on F5. This would be the first time we would be doing this type of configuration.&nbsp;
Thanks in advance&nbsp;

amolari · Answer

With APM, you can&nbsp;

define a SSL client profile with setting Client Authentication / Client Certificate = Ignore, but configure the rest (Trusted/advertised cert authorities...)&nbsp;

in the Access Policy VPE, add an "On-Demand Cert Auth" Authentication action&nbsp;

Alex&nbsp;

amolari · Answer

The certificate must of usage "Client Authentication", such as standard User certificates. If you have such certificate from Symantec it's fine. User certificates from your internal PKI -&gt; OK.&nbsp;
Client Authentication / Client Certificate = Ignore is configured so, if you want the client-auth being performed at the APM-level (with "On-demand certificate check"). That has the advantage of:
- be able to configure a fallback (other authentication method for example)
- display the logon_deny page if user doesn't have the certificate&nbsp;
Basically, if you check the certificate the the LTM level (Client Authentication / Client Certificate = require for ex), the user without a certificate will get a TCP-reset.&nbsp;
Alex&nbsp;

amolari · Answer

The certificate must of usage "Client Authentication", such as standard User certificates. If you have such certificate from Symantec it's fine. User certificates from your internal PKI -&gt; OK.&nbsp;
Client Authentication / Client Certificate = Ignore is configured so, if you want the client-auth being performed at the APM-level (with "On-demand certificate check"). That has the advantage of:
- be able to configure a fallback (other authentication method for example)
- display the logon_deny page if user doesn't have the certificate&nbsp;
Basically, if you check the certificate the the LTM level (Client Authentication / Client Certificate = require for ex), the user without a certificate will get a TCP-reset.&nbsp;
Alex&nbsp;

amolari · Answer

The certificate must of usage "Client Authentication", such as standard User certificates. If you have such certificate from Symantec it's fine. User certificates from your internal PKI -&gt; OK.&nbsp;
Client Authentication / Client Certificate = Ignore is configured so, if you want the client-auth being performed at the APM-level (with "On-demand certificate check"). That has the advantage of:
- be able to configure a fallback (other authentication method for example)
- display the logon_deny page if user doesn't have the certificate&nbsp;
Basically, if you check the certificate the the LTM level (Client Authentication / Client Certificate = require for ex), the user without a certificate will get a TCP-reset.&nbsp;
Alex&nbsp;

amolari · Answer

The certificate must of usage "Client Authentication", such as standard User certificates. If you have such certificate from Symantec it's fine. User certificates from your internal PKI -&gt; OK.&nbsp;
Client Authentication / Client Certificate = Ignore is configured so, if you want the client-auth being performed at the APM-level (with "On-demand certificate check"). That has the advantage of:
- be able to configure a fallback (other authentication method for example)
- display the logon_deny page if user doesn't have the certificate&nbsp;
Basically, if you check the certificate the the LTM level (Client Authentication / Client Certificate = require for ex), the user without a certificate will get a TCP-reset.&nbsp;
Alex&nbsp;

Forum Discussion

Certificate based authentication based on Client Certificates

5 Replies

Recent Discussions

Geo Fence in ASM through irule for URI

Client certificate Authentication - open multiple tabs

google autenticator broken barcode

Chrome V 124+ on MacOS - Virtual Server Access Issue

vulnerabilities (CVE-2020-36363), CVE-2016-0736,CVE-2019-6593-FOR VERSION BIGIP LTM-16.1.4

Related Content

Re: Management Certificate

Automate Let's Encrypt Certificates on BIG-IP

Automating ACMEv2 Certificate Management on BIG-IP

My Security+ Certification Journey

APM Clientless certificate authentication