Forum Discussion

Tamer_Ezzat_235's avatar
Tamer_Ezzat_235
Icon for Nimbostratus rankNimbostratus
Jan 25, 2016

SSL profile USB-token to authenticate the clients

Hi all,

 

How to configure SSL client profile for USB-token to authenticate the clients on /admin directory only ?

 

https://www.example.com/admin

 

I mean I need to authenticate the clients using USB-token based when the are accessing /admin directory only not the whole site.

 

Thanks.

 

application delivery
LTM

2 Replies

Sort By
  • Kai_Wilke's avatar
    Kai_Wilke
    Icon for MVP rankMVP
    Jan 25, 2016

    Hi Tamer,

    You may take a look to the links below. The links are showing you the needed syntax to overwrite the configured SSL-Profile settings to require Auth/Client-Certs on a request basis, and to re-negotiates the SSL connection on the fly...

    https://devcentral.f5.com/articles/selective-client-cert-authentication

    https://devcentral.f5.com/wiki/iRules.SSL__authenticate.ashx

    A sample iRule would look like that...

    when CLIENTSSL_HANDSHAKE { 
    if { [SSL::cert count] == 0 } { 
        log -noname local0.debug "Client cert is not OK; rejecting TCP connection." 
        reject
    } else {
        log -noname local0.debug "Client cert is OK; releasing HTTP request." 
        HTTP::release 
    }
}
when HTTP_REQUEST {
    if { [string tolower [[HTTP::uri]] starts_with "/admin" } then {
        log -noname local0.debug "Certificate required for: [HTTP::uri]" 
        if { [SSL::cert count] == 0} { 
            log -noname local0.debug "No cert found. Holding HTTP request until a client cert is presented..." 
            HTTP::collect 
            SSL::authenticate always 
            SSL::authenticate depth 9 
            SSL::cert mode require 
            SSL::renegotiate 
        }
    }
}

    Note: Once the functionality is verified, you may remove/comment the 

    [log]
    commands.

    Cheers, Kai