Machine Cert Check with OCSP failure check / Fall back to CRL

Question

Hi, Running APM Edge 11.4.1 I'm trying to implement a solid SSO APM policy for Bitlocker secured Windows 8 build which will be robust enough to work even if an OCSP is offline.  &nbsp;
Background of this is I want to create a SSO for windows 8 users coming in on (1) specific IP network ranges using our Corporate SOE. (2) Check their machine has a valid machine cert (ocsp check with fallback to CRL) followed by a (3) Kerberos check to ascertain the Users Windows Account is valid and then if all good (4) assign them VPN Access.   &nbsp;
If all this works as planned we should have a simple (for the end user anyway) secure solution which allows our on campus users a secure VPN tunnel via Wifi without the need to Manually auth until they go onto an unknown WIFI AP.  (Reason being we treat our Wifi network as an untrusted network hence the need to VPN).&nbsp;
Now I've got our CRL's consolidation working via this script https://devcentral.f5.com/questions/automaticlly-update-crl with some tweaks.   &nbsp;
I'm having difficulties finding how to invoke a Machine Cert check with iRule which allows CRL failover.   The APM OOTB Machine Cert Checker Policy doesn't quite cut it in regards to the Fall back requirement. &nbsp;
I have found this link https://devcentral.f5.com/questions/ocsp-with-crl-fallback  but this seems to only apply to Client SSL certs.  Is there another event I can call that would do the same checks for a Machine cert?&nbsp;
I am also having limited success getting Kerberos to work consistently however I think this is due to some helpful DC issues and IE11 "features"  &nbsp;
Any suggestions / help would be appreciated.   &nbsp;
Thanks&nbsp;

boneyard · Answer

i believe that except for how windows uses them there is no difference between client and machine certificates. have you tried to make this work with the irules that work for "client" certificates?

brent_j · Answer

Thanks for the reply boneyard.   I haven't been able to find a way to specify via iRule to request the machine cert.   The only option appears to be request the client cert.   The machine cert seems require you to define the location of the cert..  i.e in MY / LocalMachine Certifcate store  etc.&nbsp;
Will raise a case with support and reports findings here if they come back with anything.   &nbsp;
Thanks again. &nbsp;

amolari · Answer

Hi Brent. Got any update from support? Raised a RFE?
Thanks
Alex

brent_j · Answer

Have asked for a RFE to be raised.  Has been a bit tardy on the response so far. Just answering their questions from PD regarding why this would be a good idea.  So hopefully get a RFE reference soon.  Also doesn't seem to be any way of requesting a machine cert at this time via iRule.  Only User certs are currently supported which is frustrating. &nbsp;
Regards, Brent&nbsp;

vandenhoutenp_9 · Answer

Hi Brent,

I'm trying to do something similar. We don't have an OCSP responder available, is there an easy way to use a static CRL or the CRLDP in the machine cert to check the revocation status? I've tried a standard CRLDP check in the access policy directly after the machine cert auth check but this seems to revert to the client/user certificate that is presented at the start of the access policy.

Thanks

Peter

Forum Discussion

Machine Cert Check with OCSP failure check / Fall back to CRL

7 Replies

Recent Discussions

[ASM] - what is "Browser Challange file" ?

Rewrite uri translation not working

no available managed rule groups for Israel il-central-1

About shun list for L7 DDoS?

CONNECTION IS LOST DUE TO SELF IP IS DELIVERED

Related Content

Zero Trust building blocks - Machine Identity Management (MIM) and Workload Protection

Migration F5-DNS-VM from a Virtual Machine to other Virtual Machine

Monitoring Failure OAuth request

Ubuntu Virtual Machine for NGINX Microservices March 2022 Labs

Session persistence based on http header for machine to machine calls