ADC

Multi-Factor (nFactor) authentication

Important

  • Citrix ADC Advanced Edition or Citrix ADC Premium Edition is required for nFactor authentication feature to work.

  • Supported from NetScaler 11.0 Build 62.x onwards.

  • Starting from NetScaler 12.0 Build 51.x, Citrix ADC appliance used as a SAML Service Provider (SP) with Multi-Factor (nFactor) authentication now prepopulates the user-name field on the login page. The appliance sends a NameID attribute as part of a SAML authorization request, retrieves the NameID attribute value from the Citrix ADC SAML Identity Provider (IdP), and prepopulates the user-name field.

Multifactor authentication enhances the security of an application by requiring users to provide multiple proofs of identify to gain access. The Citrix ADC appliance provides an extensible and flexible approach to configuring multifactor authentication. This approach is called nFactor authentication.

How nFactor authentication works

Each authentication factor performs the following tasks:

  • Collects credentials from the user. Citrix ADC supported authentication mechanisms include LDAP, RADIUS, SAML assertion, Client Certificate, OAuth OpenID Connect, Kerberos, and so on.

  • Evaluates the supplied credentials to decide whether the authentication succeeded, failed or the actions like Group extraction, Attribute extraction is to be performed.

  • Based on the evaluation results, access is either granted, denied, or a next factor is selected.

  • Repeat these steps, until there are no more next factors to evaluate.

With nFactor authentication you can:

  • Configure any number of authentication factors.
  • Base the selection of the next factor on the result of executing the previous factor.
  • Customize the login interface. For example, you can customize the label names, error messages, and help text.
  • Extract user group information without doing authentication.
  • Configure pass-through for an authentication factor. This means that no explicit login interaction is required for that factor.
  • Configure the order in which different types of authentication are applied. Any of the authentication mechanisms that are supported on the Citrix ADC appliance can be configured as any factor of the nFactor authentication setup. These factors are executed in the order in which they are configured.
  • Configure the Citrix ADC appliance to proceed to an authentication factor that must be executed when authentication fails. To do so, you configure another authentication policy with the same condition, but with the next highest priority and with the action set to “NO_AUTH”. You must configure the next factor, which must specify the alternative authentication mechanism to apply.

Encryption of Citrix Gateway login information for nFactor authentication

Starting from Citrix ADC release 12.1 build 56.22, Citrix Gateway with nFactor authentication can encrypt the login request fields submitted by a client (browser or SSO apps) during authentication process. The encrypted login request fields provide an extra layer of security to protect the user’s sensitive data from being disclosed.

Compatible browsers

The following table lists the browsers along with version details that support login encryption.

Browsers Version
Chrome 78 and above
Firefox 69 and above
Edge 42 and above
Safari 11.0 and above
Opera 66

Compatible clients

The following section lists the clients along with version details that support encryption of Citrix Gateway login information.

  • Citrix Workspace app in Mac supports encryption only when OS version is 10.14.x and above.
  • Citrix SSO app in Mac supports encryption only when OS version is 10.14.x and above.
  • Windows SSO app does not have restrictions on the compatibility.

To enable the login encryption by using the CLI

At the command prompt, type:

set aaa parameter \[-loginEncryption \(ENABLED | DISABLED)]

Note

The loginEncryption parameter is DISABLED by default. You must ENABLE it.

To enable the login encryption by using the GUI

  1. Navigate to Security > AAA – Application Traffic, click Change authentication AAA settings under Authentication Settings section.
  2. On the Configure AAA Parameter page, scroll down to the Login Encryption option, and enable it.

Important note about login encryption:

When you try logging on to NetScaler Gateway, you see an error message (see screenshot) in the following scenarios:

  • Login encryption is enabled.
  • Unsupported browser is used.

You can ignore the suggestion to disable login encryption. But, ensure that you use a supported browser for a successful logon.

login-encryption

Multi-Factor (nFactor) authentication