Forum Discussion

Duncan_124777's avatar
Duncan_124777
Icon for Nimbostratus rankNimbostratus
Apr 14, 2013

Authenticate corporate Iphone with APM

Hello,

 

i study the possibility to authenticate users with Iphones who access to internet through internal proxy.

 

Users are connected with their Iphones by a wifi connection on the enterprise network. They are authenticated on the enterprise network through an ACS with 802.1x and the certificate presents on the IPhone. Next once they are connected on the enterprise network, they use internal internal proxy for websurfing access to internet. A BIG-IP LTM F5 is used to loadbalance traffic send to the proxys.

 

Problem is that proxy for websurf which are used, perform an authentification by Kerberos. Proxy are today unable to authenticate Iphone users.

 

The aim is to permit to identify users in order that proxy give internet access to the users according the membership group policy as any internal users. As users are already authenticated on the network, no more actions on this side is needed.

 

I think to use APM module added to the internal F5 used only at the moment with the LTM module ( As i see, ACA component is end of life); A policy associated to the Virtual Server of proxy in order to perform the following actions:

 

- Inspect the certificate in order to extrat user identity from Subject Alternative Name

 

- A delegation Kerberos give to the F5 on AD will permit the F5 to obtain a Kerberos token for the user identity

 

With that the F5 will be able to present the Kerberos token to the proxy on behalf of the user identity, and next proxy will be able perform a policy access according to the policy membership group.

 

Someone knows if it is possible to use APM module into this context ? Is it a possible architecture. If not, is there an other possible architecture with F5?

 

Have you more information/explication about Kerberos delegation use with F5; With which account the kerberos token will be send to the proxy? User identity or F5 identity ? Have you more details about flow exchange between F5 and Active Directory.

 

Tks

 

 

APM
remote access
security

3 Replies

Sort By
  • Michael_Koyfma1's avatar
    Michael_Koyfma1
    Icon for Cirrus rankCirrus
    Apr 18, 2013
    This should be possible - the only uncertainty I have is with respect to the proxy use case - but you can definitely have a Virtual Server on the LTM+APM that will authenticate mobile users based on the certificate and perform Kerberos SSO to the proxy. Is the proxy transparent or explicit? I am venturing a guess that you are not running HTTP profile on the LTM virtual that load-balances proxies, but if you want to perform authentication, you have to have http profile assigned to it, which means that you now need to do forward SSL proxy on the BIG-IP as well. Thankfully, this functionality is part of version 11.3.

     

     

  • Duncan_124777's avatar
    Duncan_124777
    Icon for Nimbostratus rankNimbostratus
    Apr 22, 2013
    Hello,

     

    Thanks for this first answer :-).

     

    Proxy is explicit.

     

    If i well understand, i have to implement SSL client profile on the VS of the proxy in order that the F5 will be able to inspect the client certificate and obtain the identity of the user: First the F5 (VS) present its certificate and next the client (Iphone) present its certificate to the F5.

     

    But i don't understand about to use a forward SSL proxy on the BIG-IP. Why use this fonctionality, the F5 link explain basically how it worksand how to configure it, but i don't really understand its utility in this context ? Can you explain a litle more please ?

     

    I have an other question if the client send a first request which is an https request, how will it work ? Is BIG-IP will be able to authentify the user and to send the kerberos token to the proxy ?

     

    Thnaks for your help