Windows Phone 8.1 Edge Client Certificate Authentication

Question

I want to configure Edge Client for Windows Phone 8.1 to authenticate using a Client Certificate.
I've asked Microsoft and this is their answer:
"3rd party VPN clients are able to support certificate based authentication.  It is NOT selected using the UI on the VPN client setup.  That is reserved only for our Inbox protocols (IKEv2 / L2TP, etc.).  Cert auth for 3rd party VPN clients is provisioned using configuration on the 3rd party VPN gateway where the handshake between their app and their VPN server identifies what type of auth should be used, and then the appropriate UI workflow will get triggered when device is trying to connect.  "&nbsp;
I've found documents that show how to do it with Juniper and CheckPoint, but nothing regarding F5.
Is it possible? How should be configured Access Profile ?
The certificate authentication is defined in the Virtuar server or in the Access Policy?&nbsp;

kunjan · Answer

In general you can follow the Soln doc for the client cert configuration on APM end&nbsp;
https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-authentication-single-sign-on-11-6-0/16.print.html &nbsp;
As per the release notes, the feature is not there.  &nbsp;
https://support.f5.com/kb/en-us/products/big-ip_apm/releasenotes/related/relnote-edgelclientwinphone-8-1.html&nbsp;
But you can test it, if you have a way to push the client cert. &nbsp;

lucas_thompson_ · Answer

The Inbox VPN client does not work with Machine Certificates (F5 ID 450285,473090 , MSFT ID 608460). The Inbox VPN client or Edge Client CAN work with certificates, but it requires some special provisioning by an MDM for Windows Phone 8.1 to place the correct certificate into the store and to provision the VPN client.&nbsp;
See this doc for more information:&nbsp;
https://support.f5.com/kb/en-us/products/big-ip_apm/releasenotes/related/config-note-f5-inbox-vpn-client-windows8.html&nbsp;

corey_12957 · Answer

You can configure Edge client on Windows phone to use certificate auth with an MDM solution.  Here is some example XML:
Item&gt;
        ./Vendor/MSFT/VPN/F5vpn/ThirdParty/AppId

F5Networks.vpn.client_btcnfmkykcjs2
    
For having F5 VPN client identify the certificate, it needs to identify the issuer:

./Vendor/MSFT/VPN/F5vpn/ThirdParty/CustomConfiguration

Certificate_Authority

giuseppe_6029 · Answer

Could anyone show the full xml for pushing certificate from MDM to windows phone device?&nbsp;

soymanue · Answer

I'm afraid that Edge Client for Windows Phone 8.1 doesn't support Certificate Authentication yet.&nbsp;
I was told by support engineers that next version will support that functionality but didn't give any release date.&nbsp;

Forum Discussion

Windows Phone 8.1 Edge Client Certificate Authentication

5 Replies

Recent Discussions

ASM instance creation

[ASM] - what is "Browser Challange file" ?

[ASM] - HTML5 Cross-Domain Request Enforcement - CLI command

Reverse Proxy Not Behaving

Stable Firmware for F5

Related Content

F5 BIG-IP Access Policy Manager (APM) - Google Authenticator and Microsoft Authenticator

APM Clientless certificate authentication

BIG-IQ Client Certificate (PKI) Authentication

Doing mTLS Authentication per URL

Automating ACMEv2 Certificate Management on BIG-IP