Manual Chapter : About On-Demand Cert Auth
Applies To:Show Versions
- 15.0.1, 15.0.0
About On-Demand Cert Auth
Typically, when a client makes an HTTPS request, an SSL handshake request occurs at the start of an SSL session. If the client SSL profile skips the initial SSL handshake, an On-Demand Cert Auth action can re-negotiate the SSL connection from an access policy by sending a certificate request to the user. This prompts a certificate screen to open. After the user provides a valid certificate, the On-Demand Cert Auth action checks the result of certificate authentication. The agent verifies the value of the session variable
session.ssl.cert.validto determine whether authentication was a success.
When configuring on-demand certification authentication in a per-request policy, avoid having any other agent before the On-Demand Cert Auth agent if the client SSL profile on the virtual server has the
Client Certificatefield set to
ignore. This configuration makes the per-request policy re-execute the subroutine when it reaches the On-Demand Cert Auth agent. This can cause the per-request policy to go to the unexpected branch on each agent located before On-Demand Cert Auth agent.
The On-Demand Cert Auth action provides one configuration option,
Auth Mode, with two supported modes:
- With this mode, the system requests a valid certificate from the client, but the connection does not terminate if the client does not provide a valid certificate. Instead, this action takes the fallback route in the access policy. This is the default option.
- With this mode, the system requires that a client provides a valid certificate. If the client does not provide a valid certificate, the connection terminates and the client browser stops responding.For an iPod or an iPhone, theRequiresetting must be used for On-Demand certificate authentication. To pass a certificate check using Safari, the user is asked to select the certificate multiple times. This is expected behavior.
On-demand certificate authentication does not work when added to a subroutine for a per-request policy that is part of a forward proxy configuration.