VPN Access with Smartcard for Windows 10 and F5 12.1

Question

Hi,&nbsp;
we are trying to configure VPN access with apm and smartcards and have some problems.
With F5 12.0 and Windows 8.1 we already had configured the vpn via big-ip edge client with smart card and pre logon feature. Setting up a vpn worked fine from windows logon via dial up connection and from windows (in windows with edge client and dial up connection).&nbsp;
With F5 12.1 and windows 10 we get an error during logon like here https://devcentral.f5.com/questions/using-apm-with-windows-pre-logon-feature&nbsp;
It asks for the client certificate, proceeds to the client checks and after 'Authenticated' a popup comes with Error 702: Device response received when none expected.&nbsp;
With big-ip edge client it works but not with dial-up connection. Neither from windows logon (with pre logon sequence) nor from windows.&nbsp;
So two questions:&nbsp;

Does anyone have a working vpn login with smard card in windows 10 with the pre logon sequence feature?&nbsp;

What I have read, big-ip edge client isn't supported on windows 10. Instead you should use the f5 access app from windows store. But the app doesn't seem to support smartcards. Is there any possiblity to use smartcards from the app with vpn?`

Thank you very much&nbsp;
Best regards&nbsp;
Mark&nbsp;

lucas_thompson_ · Answer

The thing you're using is called "windows logon integration", or at least that's what F5 calls it. That 702 error can happen if the SSL handshake doesn't work for some reason. Make sure you haven't messed with the ciphers in the clientssl profile.&nbsp;
If that doesn't fix it, probably time to open a support ticket.&nbsp;

wompi_203183 · Answer

Hi,&nbsp;
thank you very much for your answer. I haven't changed any cipher suites in the client ssl profiles.&nbsp;
Accidentially I have found a workaround.
After your answer I have seen that the ltm showed the following message: &nbsp;
Connection error: ssl_shim_vfycerterr:4530: application verification failure (46) during vpn login. &nbsp;
With this message in google I stumbled across "On-Demand Cert Auth". Before we had only set require in client ssl profile.
If we use "On-Demand Cert Auth" with require in APM and set the client ssl profile to ignore the VPN with smartcard auth works again with the dial up connection and windows logon integration.&nbsp;
Thank you very much.&nbsp;
Best regards&nbsp;
Mark &nbsp;

lucas_thompson_ · Answer

Oh, that's very interesting. Glad you've got it working. What documentation have you been using to set it up? I'd like to double check that it has the correct information in this area.&nbsp;

Forum Discussion

VPN Access with Smartcard for Windows 10 and F5 12.1

3 Replies

Recent Discussions

Can iRule be used to perform exception of IPI category based on Geolocation

Can iRule mask the payload content on event logs of security

minimum tmos software version for connect CIS (openshift)

Chrome V 124+ on MacOS - Virtual Server Access Issue

F5 Rseries HA

Related Content

F5 BIG-IP Access Policy Manager (APM) Machine Tunnels for Windows

F5 Access for Windows 10/Windows 10 Mobile Now Available

Federated AWS Console Access Made Easy: F5 BIG-IP Access Policy Manager Access Guided Configurations

US FEDERAL: Enabling Kerberos for Smartcard Authentication to Apache.

Windows File Share via F5 VIP