Jump to content


Photo

Client SSL Authentication and Access Control via Active Directory Group

Started by Scott Chamings , 10 April 2017 - 12:15 AM
1 reply to this topic

Scott Chamings Members

Scott Chamings
  • 6 posts

Posted 10 April 2017 - 12:15 AM

Hi,

 

Struggling with what I thought would be a simple task.

 

I need to reverse proxy an internal site but using Client SSL as the authentication (Client Cert is generated from in house Enterprise PKI / Active Directory).

 

Then based on the username on the cert, grant access only if the user is a member of a particular active directory group.

 

There is no authentication / authorisations on the internal site, but this access control is just to stop external requests from hitting this internal site unless it is from an authorised user.

 

Thanks

 

Scott

 

 



Carl Stalhood CTP Member

Carl Stalhood
  • 11,940 posts

Posted 10 April 2017 - 11:44 AM

Here's one option.

 

Create a AAA vServer and link it to your LB vServer.

 

Enable Client Cert authentication on your AAA vServer.

Create a Cert policy that extracts username and bind it to AAA vServer. Enable two-factor in policy/server.

Create a LDAP policy that extracts AD groups and bind it to AAA vServer.

Create Session Policy with Default Authorization = ALLOW and bind to AAA vServer.

 

On LB vServer, create a Responder that checks for HTTP.REQ.USER.IS_MEMBER_OF.NOT. Action is Redirect to error page.