We have a pre-epa + ldap as the authentication method. Since we have EPA as pre-authentication when we try to access via the mobile devices such as Android/iPhone or iOS and other devices we won’t be able to access.

As we know that EPA scan is not supported on mobile devices or iOS, therefore we will have to eliminate EPA scan just for these devices but EPA scan needs to work on desktop (Windows / MacOS).
 

We can resolve this by creating an nfactor flow.

Nfactor flow:


Step-1: In the first factor, add a noschema policy that contains no login schema.



Step-2:  Adding a policy called "evaluate" which will check if the device is Windows or MAC desktop. If the device is Windows or MAC desktop then it will go to the next factor and if device belong to Android or iOS category it will be forbidden.

The expression "HTTP.REQ.HEADER("User-Agent").CONTAINS("Win")&&HTTP.REQ.HEADER("User-Agent").CONTAINS("Android").NOT||HTTP.REQ.HEADER("User-Agent").CONTAINS("Mac")&&HTTP.REQ.HEADER("User-Agent").CONTAINS("iOS").NOT"

 


Step-3: Here we will check if any device comes under Android or iOS category, then they will pass to go the next factor.

The expression "HTTP.REQ.HEADER("User-Agent").CONTAINS("Android")||HTTP.REQ.HEADER("User-Agent").CONTAINS("iOS")".





Step-4: Now if the policy of evaluate is true then the next factor it will hit Desktop.

Click on the green plus sign of the evaluate then create new factor and name it Desktop.

Note: This policy evaluates if the device is Windows or MAC desktop, if the device belong to this category then it will hit Desktop as the next factor to evaluate the EPA scan.



Step-5: For the login schema please choose the earlier noschema policy you have created.



Step-6: Now we will bind the EPA policy as the policy for this factor.



I have bound the EPA policy that scans and verifies the Microsoft edge version.



Step-7: If the EPA scan is successful for the windows or mac desktop users then they will be going to next factor i.e., LDAP authentication.



Step-8:  Now create a new factor named "LDAP" then add a login schema policy that has a singleauth login schema as we just have a single authentication policy LDAP.



Step-9: For the policy section I will bind the LDAP policy.



Make sure you choose "END" to the goto expression.



Step-10: Now coming back to the "Eliminate" policy section which evaluates for Android/ iOS devices. If they belong to Android or iOS category then they will just hit a simple LDAP policy.

Click on the green plus sign for eliminate policy and go ahead and create a new factor named "Android-iOS".

Step-11:

Add the singleauth policy or you can leave it as it is without adding any login schema.

Bind the same LDAP policy.



Make sure you choose "END" option for goto expression.

---

Problem Cause

EPA scan was being prompted on Android, iOS and mobile devices. EPA scan doesn't work for mobile devices.

Configuration of the AAA vserver during the issue.

We tried to create a simple AAA vserver where first factor is to evaluate EPA scan and the second factor is LDAP.

Step-1: AAA vserver name "epa-pre"

Step-2: EPA check is the first factor and in the next factor I have added a simple LDAP policy.

Step-3: Added a simple EPA scan to check edge version.

Step-4: LDAP policy is advanced.

Step-5: While trying to access the gateway we were first prompted for EPA check which was passed and then we got the LDAP authentication page.

Step-6: Tried to access the gateway via mobile device, we were prompted with EPA scan which gets failed as EPA plugin/ scan is not supported for mobile devices/iPAD.