How to Configure an Access Gateway Enterprise Edition Appliance to Perform a Client Certificate Check after Logging in to an Access Gateway VServer

This article contains information about configuring an Access Gateway Enterprise Edition appliance to perform a client certificate check after logging in to an Access Gateway Virtual Server (VServer).

Background

In an Access Gateway Enterprise Edition appliance, the default method to enable a Client Certificate check is to configure the Secure Socket Layer (SSL) parameters of an Access Gateway VServer to ensure that Client Certificates are Optional or Mandatory. This configuration enforces the web browser of an end user to provide a Client Certificate during the SSL handshake process between the web browser of the end user and the Access Gateway VServer. This step is performed before the login page is displayed.

However, if the deployment requires a Client Certificate check after login, then you can configure a session policy similar to the following sample policy:

To configure an Access Gateway Enterprise Edition appliance to perform a client certificate check after logging in to an Access Gateway VServer, complete any of the following procedures:

• Client Certificate Authentication before VServer Authentication but after Credentials are Submitted from the VServer Login Page
• Client Certification Authentication after Credentials are Submitted from the VServer Authentication but before Access to the VPN Home Page

Client Certificate Authentication before VServer Authentication but after Credentials are Submitted from the VServer Login Page

You can configure an Access Gateway Enterprise Edition appliance to ensure that the Client Certificate authentication is done before the Access Gateway VServer authentication, but after credentials are submitted from the VServer login page by using an SSL policy.

To configure such an SSL policy, complete the following procedure from the command line interface of the appliance:

1. Run the??¨ following command to add an SSL action for client authentication:
   add ssl action ssl_act1 -clientAuth DOCLIENTAUTH

2. Run the following command to add an SSL policy to evaluate if the request is a login URL:
   add ssl policy ssl_pol1 -rule "REQ.HTTP.METHOD == POST && REQ.HTTP.URL CONTAINS /cgi/login" -reqAction ssl_act1

3. Run the following command to bind the policy to an SSL VServer:
   bind ssl vserver v2 -policyName ssl_pol1

4. Run the following command to add a session policy that verifies client certificate:
   add vpn sessionPolicy sess2 "CLIENT.CERT.ISSUER CONTAINS <AuthorityName>" sessProfile2

5. Run the following command to bind the session policy to the SSL VServer:
   bind vpn vserver v2 -policy sess2

Client Certification Authentication after Credentials are Submitted from the VServer Authentication but before Access to the VPN Home Page

You can also configure the Access Gateway Enterprise Edition appliance to ensure that Client Certificate is authenticated after credentials are submitted from the Access Gateway VServer authentication, but before the end user is assigned access to the VPN home page by using an SSL policy.

To configure such an SSL policy, complete the following procedure from the command line interface of the appliance:

1. Run the following ??¨command to add an SSL action for client authentication:
   add ssl action ssl_act2 -clientAuth DOCLIENTAUTH

2. Run the following command to add an SSL policy to evaluate the Cookie:
   add ssl policy ssl_pol2 -rule "REQ.HTTP.HEADER Cookie CONTAINS NSC_AAAC && REQ.HTTP.URL CONTAINS f_services" -reqAction ssl_act2
   Note: In the preceding command, the f_services.html is the default home page for the session profile.

3. Run the following command to bind the policy to an SSL VServer:
   bind ssl vserver v2 -policyName ssl_pol2

   In this configuration, when a user connects through the Access Gateway Enterprise Edition SSL VPN client, the client NSC_AAAC Cookie header is sent to the client. When the client sends further HTTP requests that contain the NSC_AAAC cookie header, the SSL policy evaluates the request and forces the Client Certificate Check for authentication. The appliance performs this action before the assigned home page of the session profile is displayed.

For the procedures covered in this article, you need not enable the –clientAuth (mandatory/optional) parameter at the SSL VServer level. Additionally, the web browser displays the Client Certificate selection dialog box after the user enters the credentials in the Access Gateway Enterprise Edition VServer login page.