Machine Cert Check with OCSP failure check / Fall back to CRL
Hi, Running APM Edge 11.4.1 I'm trying to implement a solid SSO APM policy for Bitlocker secured Windows 8 build which will be robust enough to work even if an OCSP is offline.
Background of this is I want to create a SSO for windows 8 users coming in on (1) specific IP network ranges using our Corporate SOE. (2) Check their machine has a valid machine cert (ocsp check with fallback to CRL) followed by a (3) Kerberos check to ascertain the Users Windows Account is valid and then if all good (4) assign them VPN Access.
If all this works as planned we should have a simple (for the end user anyway) secure solution which allows our on campus users a secure VPN tunnel via Wifi without the need to Manually auth until they go onto an unknown WIFI AP. (Reason being we treat our Wifi network as an untrusted network hence the need to VPN).
Now I've got our CRL's consolidation working via this script https://devcentral.f5.com/questions/automaticlly-update-crl with some tweaks.
I'm having difficulties finding how to invoke a Machine Cert check with iRule which allows CRL failover. The APM OOTB Machine Cert Checker Policy doesn't quite cut it in regards to the Fall back requirement.
I have found this link https://devcentral.f5.com/questions/ocsp-with-crl-fallback but this seems to only apply to Client SSL certs. Is there another event I can call that would do the same checks for a Machine cert?
I am also having limited success getting Kerberos to work consistently however I think this is due to some helpful DC issues and IE11 "features"
Any suggestions / help would be appreciated.
Thanks