Authenticate corporate Iphone with APM
Hello,
i study the possibility to authenticate users with Iphones who access to internet through internal proxy.
Users are connected with their Iphones by a wifi connection on the enterprise network. They are authenticated on the enterprise network through an ACS with 802.1x and the certificate presents on the IPhone. Next once they are connected on the enterprise network, they use internal internal proxy for websurfing access to internet. A BIG-IP LTM F5 is used to loadbalance traffic send to the proxys.
Problem is that proxy for websurf which are used, perform an authentification by Kerberos. Proxy are today unable to authenticate Iphone users.
The aim is to permit to identify users in order that proxy give internet access to the users according the membership group policy as any internal users. As users are already authenticated on the network, no more actions on this side is needed.
I think to use APM module added to the internal F5 used only at the moment with the LTM module ( As i see, ACA component is end of life); A policy associated to the Virtual Server of proxy in order to perform the following actions:
- Inspect the certificate in order to extrat user identity from Subject Alternative Name
- A delegation Kerberos give to the F5 on AD will permit the F5 to obtain a Kerberos token for the user identity
With that the F5 will be able to present the Kerberos token to the proxy on behalf of the user identity, and next proxy will be able perform a policy access according to the policy membership group.
Someone knows if it is possible to use APM module into this context ? Is it a possible architecture. If not, is there an other possible architecture with F5?
Have you more information/explication about Kerberos delegation use with F5; With which account the kerberos token will be send to the proxy? User identity or F5 identity ? Have you more details about flow exchange between F5 and Active Directory.
Tks