Solved

Smart Card Login for F5 Web Admin Console

Posted on 2014-03-20
1
941 Views
Last Modified: 2014-03-24
Okay. I have implemented Smart Card Authentication to websites before. Mostly IIS, but recently, due to a push for tighter controls, I learned how to implement Smart Card Authentication when a user accesses a web server or application behind the F5 Load Balancer.

My new challenge is : How do I implement Smart Card authentication for the Web Administration Console that I use to configure the F5? I have looked at the "advanced" configuration under "SYSTEM; USER; AUTHENTICATION" and done some reading.

It appears that I can configure all kinds of authentication, like Active Directory, RADIUS, TACACS+, but these all require entering a password. Our accounts are Smart Card based and we don't allow NOS stored passwords, only PIN's to verify certificates.

Any F5 experts out there that can tell me how to use Smart Card authentication with a PIN to access the Web interface to configure the F5? Or, alternatively, can anyone tell me this is simply NOT possible?
0
Comment
Question by:dalberson
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
 
LVL 63

Accepted Solution

by:
btan earned 500 total points
ID: 39944526
there may be a possibility if you see that LDAP can be SSL based requesting for client cert. This would be similar the client SSL profile but best is to raise the support case or even Devcentral (F5 community based forum with even actual F5 architect) to get confirmation before delving into the trial and error.

Also since you are in to security, you can explore the appliance mode but it will really need to be tested as it can be too lockdown  

http://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/tmos_management_guide_10_1/tmos_users.html#1009116


11.If you want to enable SSL-based authentication, click the SSL box and if necessary, configure the following settings.
Important: Be sure to specify the full path name of the storage location on the BIG-IP system. For example, if the certificate is stored in the directory /config/ssl/ssl.crt, type the value /config/ssl/ssl.crt.

a) In the SSL CA Certificate box, type the name of a chain certificate, that is, the third-party CA or self-signed certificate that normally resides on the remote authentication server.

b)In the SSL Client Key box, type the name of the client SSL key.
Use this setting only in the case where the remote server requires that the client present a certificate. If a client certificate is not required, you do not need to configure this setting.

c)In the SSL Client Certificate box, type the name of the client SSL certificate.
Use this setting only in the case where the remote server requires that the client present a certificate. If a client certificate is not required, you do not need to configure this setting.

12.Click Finished.
0

Featured Post

Guide to Performance: Optimization & Monitoring

Nowadays, monitoring is a mixture of tools, systems, and codes—making it a very complex process. And with this complexity, comes variables for failure. Get DZone’s new Guide to Performance to learn how to proactively find these variables and solve them before a disruption occurs.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Since pre-biblical times, humans have sought ways to keep secrets, and share the secrets selectively.  This article explores the ways PHP can be used to hide and encrypt information.
Keystroke loggers have been around for a very long time. While the threat is old, some of the remedies are new!
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question