Forum Discussion
Oh I see what you mean now sorry. Yes, I can easily differentiate between internal and external users based on their IP address. So my two main access scenarios would be:
1) Domain joined user on internal IP range connects to HTTPS VIP and has a kerberos token in their session. Their token will be interrogated, a query ran, and access granted.
2) Non Domain joined user on external network connects up and is presented with the Forms based F5 login page. they authenticate via AAA, an AD query verifies they meet our access requirement, and they are granted access to the resource.
But there would be this odd case on occasion, when an internal user didn't have a kerberos ticket:
3) User connects on internal network without a kerberos ticket. Users browser is issued with a 401 response, but cannot respond with a ticket, so produces a basic login dialogue box.
In scenario 3, is is easy enough to have the APM accept the credentials supplied via Basic authentication from the browser? We could have this situation for a number of reasons being a university, non standard browsers, Mac or Linux computers not joined to our AD domain, etc...
Also, if a user does have a kerberos ticket, but after our AD query we find they don't have the desired authentication, would it be easy enough to pass the user to the forms based login? I'm assuming it would because at this stage in the access policy we would have moved from the kerberos pickup to an AD Query, and so we would get to decide the outcome?