This article describe how to bypass EPA check on Mobile device using nFactor Authentication. Mobile devices will not run the EPA scan if  you configure Pre-authentication for EPA scan. Mobile device can always hit policy and it will fail.

Instructions

1. Priority 100: LDAP Policy (for mobile device, expression using "Android/iPhone/iPad" in user-agent), critical configuration:

• add authentication Policy LDAP_Policy_For_Mobile -rule "HTTP.REQ.HEADER(\"User-Agent\").CONTAINS(\"Android\")||HTTP.REQ.HEADER(\"User-Agent\").CONTAINS(\"iPhone\")||HTTP.REQ.HEADER(\"User-Agent\").CONTAINS(\"iPad\")" -action LDAP_Server

2. Priority 110: Flow: No Auth Policy ---> EPA Check Policy (Policy Label) ---> LDAP Policy (Label), critical configuration:

• add authentication Policy No_Auth -rule true -action NO_AUTHN
• add authentication Policy EPA_Check_MAC -rule true -action EPA
• add authentication policylabel EPA_Policy_Label -loginSchema LSCHEMA_INT
• add authentication policylabel LDAP_For_PC -loginSchema Single_Auth_Profile
• bind authentication policylabel LDAP_For_PC -policyName LDAP_Policy_For_PC -priority 100 -gotoPriorityExpression NEXT
• bind authentication policylabel EPA_Policy_Label -policyName EPA_Check_MAC -priority 100 -gotoPriorityExpression NEXT -nextFactor LDAP_For_PC3.

3. Bind authentication policies and login schema policy to AAA vserver, LDAP policy for mobile device should be with higher priority.

• bind authentication vserver AAA-Vserver -policy Single_Auth_Policy -priority 100 -gotoPriorityExpression END
• bind authentication vserver AAA-Vserver -policy LDAP_Policy_For_Mobile -priority 100 -gotoPriorityExpression NEXT
• bind authentication vserver AAA-Vserver -policy No_Auth -priority 110 -nextFactor EPA_Policy_Label -gotoPriorityExpression NEXT