No doubt some people noticed the change in order of the authentication fields for the Receiver found here:

There is a simple solution to restore the old behaviour if you are using AGEE. Simply create a couple of authentication policies in the same way you did when using a policy to direct traffic to the PNAgent site if the host header matches. Page 21 of this deployment guide has the details on how to configure AGEE session policies for iPhones and iPads:


I’ve used these in my lab with success:

add authentication radiusPolicy blogg-rsa-pri-pol “REQ.HTTP.HEADER User-Agent CONTAINS iPad” auth-profile-rsa
add authentication ldapPolicy blogg-ad-pri-pol ns_true auth-profile-ad
add authentication radiusPolicy blogg-rsa-sec-pol ns_true auth-profile-rsa
add authentication ldapPolicy blogg-ad-sec-pol “REQ.HTTP.HEADER User-Agent CONTAINS iPad” auth-profile-ad
bind vpn vserver blogg -policy blogg-rsa-pri-pol -priority 100
bind vpn vserver blogg -policy blogg-ad-pri-pol -priority 110
bind vpn vserver blogg -policy blogg-ad-sec-pol -priority 100 -secondary
bind vpn vserver blogg -policy blogg-rad-sec-pol -priority 110 -secondary

The key part here is the priority when binding. Make user the user-agent conditional policies are first for iPads and iPhones.