How to set up Client Authentication Mode based on User-agent.
When a service is using the Client Authentication mode with ESP and it is set to NTLM. A domain joined device will provide authentication without the need for the user to interact with a form. However mobile devices on Android and IOS are not domain joined. This results in the client receiving a 401 response from the service. The Client is unlikely to send an Authorization header and this prevents them from authenticating with the NTLM service.
To allow mobile and tablet devices access to the service they would need to use an alternative client Authentication Method. If the non domain joined client was presented with a forms based login, a user could manually complete the form. If they're authenticated they can gain access to a service. To achieve this we will match on the HTTP header for User-Agent.
A User-Agent is an application acting on the behalf of a user. For example Chrome, Firefox and Edge browsers are user agents. The User-Agent header contains details about the browser version, system information and platform details.
Here is an example of the User-Agent string from chrome on a Galaxy Nexus device.
Mozilla/5.0 (Linux; Android 4.0.4; Galaxy Nexus Build/IMM76B) AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1025.133 Mobile Safari/535.19
With content switching we can match on specific strings contained in the value of the User-Agent string. When the match is triggered the LoadMaster can forward this client to different Sub Virtual services.
Configuration
Navigate to Rules & Checking > Content Rules > Create New.
Configure the following:
Rule Name: User_Agent
Rule Type: Content Matching
Match Type: Regular Expression
Header Field: User-Agent
Match String: /^.*Mobile.*|.*Tablet.*|.*Phone.*|.*Android.*/
This rule needs to be applied to an existing virtual service with ESP configured. For more information on configuring ESP see here
In this example a Virtual Service has been configured with two sub virtual services. One for Forms based Authentication. The other for NTLM.
Both SubVSs have ESP enabled. The Client Authentication Mode is configure to match the given name of the SubVS. We need to map the correct rule to the required SubVS.
Modify the Virtual service > Advanced Properties > Content Switching > Enable. This will display the Rules option under SubVSs.
Click on None for the Forms based SubVSs and apply the User_Agent rule from the Add Rule drop-down menu. Once applied, select <-Back
Click on None for the NTLM SubVSs and apply the default rule from the Add Rule drop-down menu. Once applied, select <-Back
The default rule is catch all rule. If the User_Agent is not matched all traffic will enter the NTLM SubVS. Clients on mobile or tablet devices will now receive a forms based Authentication prompt. All other clients will be treated as Domain Joined and NTLM will be used.