This howto will show you how to use client certificates to authenticate against applications hosted by a BigIP loadbalancer. You may find this howto (or parts of it) on ask.f5.com as they was no documentation before on this topic. I forwarded it to F5 some time ago. This is the only way to use client certificates without purchasing addon modules from F5.
Purpose
If you host a website/application which should only be accessible by some users you you may have already thought about client certificates. This makes brute force attacks against login panels impossible.
This increases the overall application security by adding another layer a user must pass.
The mapping between certificates and access rights is based on a LDAP directory.
Overview
The loadbalancer reads the CN from the client certificate and searches the defined group for the virtual server for a matching entry. The loadbalancer verifies CA and CRL’s before the lookup takes place.
LDAP Setup
Example Tree
dc=company,dc=com / \ / \ ... ou=datacenter / \ / \ ... ou=webauth / \ / \ ou=users ou=groups
User & Group LDIF
Here are two LDIF examples for users and groups:
dn: cn=Example User,ou=users,ou=webauth,ou=datacenter,dc=company,dc=com
cn: Example User
sn: Example User
objectClass: person
description: It's just a example user
dn: cn=Example Group,ou=groups,ou=webauth,ou=datacenter,dc=company,dc=com
cn: Example Group
objectClass: posixGroup
description: Group is allowed to connect to BigIP's VHOST secure.company.com
memberUid: cn=Example User,ou=users,ou=webauth,ou=datacenter,dc=company,dc=com
memberUid: cn=Example User No2,ou=users,ou=webauth,ou=datacenter,dc=company,dc=com
gidNumber: 145
The “memberUid” has to match exactly the certificates CN because this is the key the BigIP is looking for.
BigIP Configuration
Authentication Configuration
As a firsz step we create a new “Authentication Configuration”. Just open the web frontend and navigate to:
Local Traffic -> Profiles -> Authentication -> Configuration
You have to create a new config for every virtual host you want to secure. This is force by the LDAP group used because every config can only use one group. Here’s a example configuration:
| Parameter | Value |
|---|---|
| Hosts | 1.2.3.4 |
| Search Type | User |
| User Base DN | ou=users,ou=webauth,ou=datacenter,dc=company,dc=com |
| User Key | cn |
| Admin DN | DN for binding |
| Admin Password | Bind password |
| Group Base DN | ou=groups,ou=webauth,ou=datacenter,dc=company,dc=com |
| Group Key | cn |
| Group Member Key | memberUid |
| Valid Groups | Corresponding LDAP group |
Authentication Profile
The next step is to create a profile which inherits the new created config. You need a profile for every configuration. Navigate to
Local Traffic -> Profiles -> Authentication -> Profiles
| Parameter | Value |
|---|---|
| Type | SSL Client Certificate LDAP |
| Parent Profile | ssl_cc_ldap |
| Mode | Enabled |
| Configuration | NAME OF CONF JUST CREATED |
CA Upload
If your CA certificate(s) have not been installed it’s time to do so.
Local Traffic -> SSL Certificates -> Import
SSL Profiles
To use SSL (without client certificates too) you need a SSL profile. Navigate to
Local Traffic -> Profiles -> SSL -> Client
Create a new profile based on “clientsl” or one of your already defined profiles.
| Parameter | Value |
|---|---|
| Chain | CompanyBundle |
| Trusted Certificate Authorities | CompanyBundle |
| Client Certificate | require |
| Frequency | always |
| Advertised Certificate Authorities | CompanyBundle |
Virtual Host Configuration
You may create a new virtual host or modify a existing host. Navigate here
Local Traffic -> Virtual Servers
Modify the following parameters (if you already used SSL in this vhost):
| Parameter | Value |
|---|---|
| SSL Profile (Client) | Profile created earlier |
| Authentication Profiles | Profile created earlier |
That’s it!
Import your client certificates to your browser and enjoy your secure connection.
If you have any trouble don’t hesitate to contact me: daniel {A_T} linuxaddicted {D_O_T} de
EXCELLENT writeup. thank you.
i have a question….
if client certificate authetication fails. or if the client browser has no certificate to present would it be possible to configure bigIP to rediect the client to another port (without loosing context of what the user was trying to access) which does not do client authetication ?
Rohan
Hi Rohan,
as far as i know (never had to do this) the only chance is to extend the iRule which handles the certificate auth. Please let me know if you found a solution.
Daniel