Forum Discussion

Carl_20170911's avatar
Carl_20170911
Icon for Nimbostratus rankNimbostratus
Jan 18, 2020

Restrict access to virtual server by IP address and client certificate authentication

I am currently implementing F5 LTM.

I want to restrict access to virtual server by IP address and  client certificate authentication.

 

If the client's IP is not in the address list, then the client can use client certificate authentication.

 

Is it possible?

 

Thanks.

 

6 Replies

  • Hi,

    You can make use of iRules to identify the client IP address from the data group list configured and you can prevent accessing the VS by clients.

  • and add to that irule to switch the client ssl profile to one that requires client certificate authentication if the IP is not on the list and you got what you want. it isn't something you can just configure in the GUI, it will require some iRule code and different profiles.

  • I have tried the following irule but not work.

     

    when CLIENT_ACCEPTED {

    set redir 0

    if { ! [class match [IP::client_addr] eq EISAllow] } {

    log local0. "Dropped connection: client IP [IP::client_addr] is blacklisted."

    SSL::enable

    set sslenable 0

    set redir 1 

    SSL::profile Client_Cert_Auth_Policy

    #drop

    }

    • boneyard's avatar
      boneyard
      Icon for MVP rankMVP

      you would enable a profile with SSL client auth by default. not enable it in the iRule.

  • Is it possible to extend this solution to restrict access to specific client certificates?

    • boneyard's avatar
      boneyard
      Icon for MVP rankMVP

      with iRules everything is possible :)

       

      if your client certificates contain a certain CN your can request that and compare it with a list of allowed ones.

       

      there should be enough examples around how to do this.