SSL profile USB-token to authenticate the clients

MVP

Jan 25, 2016

Hi Tamer,

You may take a look to the links below. The links are showing you the needed syntax to overwrite the configured SSL-Profile settings to require Auth/Client-Certs on a request basis, and to re-negotiates the SSL connection on the fly...

https://devcentral.f5.com/articles/selective-client-cert-authentication

https://devcentral.f5.com/wiki/iRules.SSL__authenticate.ashx

A sample iRule would look like that...

when CLIENTSSL_HANDSHAKE { 
    if { [SSL::cert count] == 0 } { 
        log -noname local0.debug "Client cert is not OK; rejecting TCP connection." 
        reject
    } else {
        log -noname local0.debug "Client cert is OK; releasing HTTP request." 
        HTTP::release 
    }
}
when HTTP_REQUEST {
    if { [string tolower [[HTTP::uri]] starts_with "/admin" } then {
        log -noname local0.debug "Certificate required for: [HTTP::uri]" 
        if { [SSL::cert count] == 0} { 
            log -noname local0.debug "No cert found. Holding HTTP request until a client cert is presented..." 
            HTTP::collect 
            SSL::authenticate always 
            SSL::authenticate depth 9 
            SSL::cert mode require 
            SSL::renegotiate 
        }
    }
}

Note: Once the functionality is verified, you may remove/comment the

[log]

commands.

Cheers, Kai

Forum Discussion

SSL profile USB-token to authenticate the clients

Recent Discussions

Rundeck ansible F5 errors

What is the meaning is 52% block in WAF

rewrite Azure AD response for portal access via web portal

AS3 Monitoring multiple ports selectively

Open Redirection Mitigation

Related Content

Doing mTLS Authentication per URL

Application Programming Interface (API) Authentication types simplified

iControl REST Authentication Token Management

SSL Profiles

Understanding the Authenticate Name Option on Server SSL profile on BIG-IP