Forum Discussion
- PrakinCirrus
Hi,
You can make use of iRules to identify the client IP address from the data group list configured and you can prevent accessing the VS by clients.
and add to that irule to switch the client ssl profile to one that requires client certificate authentication if the IP is not on the list and you got what you want. it isn't something you can just configure in the GUI, it will require some iRule code and different profiles.
- Carl_20170911Nimbostratus
I have tried the following irule but not work.
when CLIENT_ACCEPTED {
set redir 0
if { ! [class match [IP::client_addr] eq EISAllow] } {
log local0. "Dropped connection: client IP [IP::client_addr] is blacklisted."
SSL::enable
set sslenable 0
set redir 1
SSL::profile Client_Cert_Auth_Policy
#drop
}
}
you would enable a profile with SSL client auth by default. not enable it in the iRule.
- nolipinedaAltostratus
Is it possible to extend this solution to restrict access to specific client certificates?
with iRules everything is possible :)
if your client certificates contain a certain CN your can request that and compare it with a list of allowed ones.
there should be enough examples around how to do this.