Forum Discussion

cpmortimer_1356's avatar
cpmortimer_1356
Icon for Nimbostratus rankNimbostratus
Oct 15, 2013

F5 SSL VPN Certificate Based Authentication on Android

Hi,

 

I am trying to get our Big IP v11.3 appliance working for certificate based client authentication for VPN connections. I am deploying certificates to mobile devices using the AirWatch EMM solution. The connection works fine on iOS. On Android, I can see the client certificate within the Edge Client but when attempting to make a connection it consistently fails.

 

Any suggestions as to what may be the problem and what the solution may be?

 

Thanks in advance for your time in answering.

 

Colin

 

APM
security

6 Replies

Sort By
  • Matt_Dierick's avatar
    Matt_Dierick
    Icon for Employee rankEmployee
    Oct 15, 2013

    Hi Colin,

     

    What do you see in APM logs ? You can set log level in System > log > configuration > options.

     

  • cpmortimer_1356's avatar
    cpmortimer_1356
    Icon for Nimbostratus rankNimbostratus
    Oct 15, 2013

    Hi Matthieu,

     

    I have changed the log level to "debug". Where would I see the actual logs from attempted client connections?

     

    Also, where should I actually be configuring cert based auth for this type of use? I have added the need for a cert in the Local Traffic > Profiles > SSL. Should I also have the "on demand cert auth" in the visual editor set up?

     

    I am 100% new to F5 so fumbling my way around. I'll be honest, I have not found the documentation too useful for this unfortunately.

     

    Thanks again.

     

    Colin

     

  • Matt_Dierick's avatar
    Matt_Dierick
    Icon for Employee rankEmployee
    Oct 15, 2013

    To retrieve logs from APM : tail -f /var/log/apm From LTM : tail -f /var/log/ltm Run the command line first, and launch your client after.

     

    For client cert validation, create a client SSL profile, in LTM, with "Require" client certificate. Import your CA and CRL if needed. In APM, create a policy with "client cert inspection" if you wants to retrieve information from the certificate. But it's not mandatory. LTM has already validated the certificate.

     

    For a dynamic CRL inspection, you can use CRLDP ou OCSP in APM.

     

    Hope this help.

     

  • cpmortimer_1356's avatar
    cpmortimer_1356
    Icon for Nimbostratus rankNimbostratus
    Oct 18, 2013

    Hi Matthieu,

     

    Thanks again for your response. I haven't forgotten, just having a number of challenges with this. I'm trying to figure out what the CLI user name and password might be as my colleagues who installed the appliance appear to have changed it from the defaults and don't know what they changed it to. Great huh? The defaults I found online suggest root/default, would you agree that is the default credentials for the appliance or something different?

     

    Thanks,

     

    Colin

     

  • cpmortimer_1356's avatar
    cpmortimer_1356
    Icon for Nimbostratus rankNimbostratus
    Oct 18, 2013

    I dont seem to have access to run that command. Finally got in to the CLI, running that command returns: unexpected argument tail. I am unsure as to whether this access requires an additional license? This is an evaluation virtual appliance in our lab if that means anything.

     

    Am attempting to work through an upgrade to 11.4.1 as advised by a colleague. Do you know if logs are available through the GUI here as they have suggested so.

     

    Thanks,

     

    Colin