Requirements: This lab requires a load balancing vServer with n-factor authentication like proposed in the previous labs.
The goal
Users using a certain browser should use single-factor authentication, users of all other browsers require two factors.
We know, that’s a stupid setup, but it’s easy to test. A real-world setup would be: single-factor authentication from corporate LAN and two factors from outside, depending on IP ranges. The policy expression would be CLIENT.IP.SRC.IN_SUBNET(10.0.0.0/8) and CLIENT.IP.SRC.IN_SUBNET(10.0.0.0/8).NOT.
Changes to the existing LDAP Policy
We need changes to the existing LDAP policy, so it gets active if a user uses a browser different from FireFox.
Navigate to Security → AAA-Application Traffic → Policies → Authentication → Advanced Policies → Policy.
Select the existing LDAP policy and change the policy expression to HTTP.REQ.HEADER("User-Agent").CONTAINS("Firefox").NOT. (Chrome for Google’s chrome, Trident for MS-Internet Explorer and so on).
Point of this policy is: Users of non-FireFox browsers should use this policy only.
creating a 2nd LDAP policy
We also need a policy for FireFox users.
Keep the policy selected after updating the policy expression and click Add. This will create a copy of this policy. Give it a different name and remove .NOT from the policy expression. Click OK.
Open the lb vServer and bind this policy as well.
Testing
Try logging on using FireFox (or whichever browser you selected). It should be single-factor authentication. Choose a different browser. Authentication should be two factors.
[wpedon id=”798″ align=”center”]
