Note: Certificate authentication must be configured correctly before enabling WUI CAC support.

After session management has been enabled, CAC authentication can also be enabled for LoadMaster WUI access. To enable this, follow the steps below:

  1. In the main menu of the LoadMaster WUI, go to Certificates & Security > Remote Access.

  2. Select the relevant Admin Login Method.

The following login methods are available:

  • Password Only Access (default): This option provides access using the username and password only – there is no access using client certificates.

  • Password or Client certificate: The user can log in using either the username/password or using a valid client certificate. If a valid client certificate is in place, the username and password is not required.The client is asked for a certificate. If a client certificate is supplied, the LoadMaster will check for a match. The LoadMaster checks if the certificate is a match with one of the local certificates, or checks if the Subject Alternative Name (SAN) or Common Name (CN) of the certificate is a match. The SAN is used in preference to the CN when performing a match. If there is a match, the user is allowed access to the LoadMaster. This works both using the API and user interface.An invalid certificate will not allow access.If no client certificate is supplied, the LoadMaster will expect that a username and password is supplied (for the API) or will ask the user to enter a password using the standard WUI login page.

    Note: You can allow local users to log in even if the client certificate has been deleted from the LoadMaster by enabling the Allow Client Certificate Login Without Locally Installed User Certificate option (under Certificates & Security > Remote Access > Administrator Access). By default, this option is disabled. Legacy local certificate login is not secure. Only enable this option if necessary. When enabling this option, a confirmation warning appears. Click OK to confirm.

  • Client certificate required: Access is only allowed with the use of a client certificate. It is not possible to log in using the username and password. SSH access is not affected by this (only the bal user can log in using SSH).

  • Client certificate required (Verify via OCSP): This is the same as the Client certificate required option, but the client certificate is verified using an OCSP service. The OCSP Server Settings must be configured in order for this to work. For further information on the OCSP Server Settings, refer to the Configure the OCSP Options section.

Note: In LoadMaster firmware version 7.2.53 and above, the OCSP server settings do not need to be configured in the LoadMaster if the certificate has an Authority Information Access (AIA) extension that the LoadMaster will attempt to connect to it.

Some points to note regarding the client certificate methods are below:

  • The bal user does not have a client certificate. Therefore, it is not possible to log into the LoadMaster as bal using the Client certificate required methods. However, a non-bal user can be created and granted All Permissions. This will allow the same functionality as the bal user.
  • There is no log out option for users that are logged in to the WUI using client certificates, as it is not possible to log out (if the user did log out the next access would automatically log them back in again). The session is terminated when the page is closed, or when the browser is restarted.