Product Documentation

Two Factor Authentication for Citrix ADC Console

Two-factor authentication is a security mechanism where a Citrix ADC appliance authenticates a system user at two authenticator levels. The appliance grants access to the user only after successful validation of passwords by both levels of authentication. If a user is authenticated locally, the user profile must be created in Citrix ADC database. If the user is authenticated externally then, the user name and password must match the user identity registered in the external authentication server.

Note: Two factor authentication feature works on Citrix ADC 12.1 build 51.16 onwards.

How two-factor authentication works

Consider a user trying to log on to a Citrix ADC appliance. The requested application server sends the user name and password to the first external authentication server (RADIUS, TACACS, LDAP or AD). Once the username and password are validated, the user is prompted for second level of authentication. The user can now provide the second password. Only if both passwords are correct, the user is allowed to access the Citrix ADC appliance. The below diagram is an illustration of how two-factor authentication works for a Citrix ADC appliance.

localized image

Following are the different use cases for configuring two factor authentication for external and system users.

Configuring two-factor authentication for Citrix ADC management access

You can configure two-factor authentication feature on a Citrix ADC appliance in different ways. The configuration scenarios are given below:

  1. Two factor authentication (2FA) across Citrix ADC, GUI, CLI, API and SSH.
  2. External authentication enabled and local authentication disabled for system users.
  3. External authentication enabled with policy based local authentication for system users.
  4. External authentication disabled for system users with local authentication enabled.
  5. External authentication enabled and local authentication enabled for system users.
  6. External authentication enabled for selected LDAP users

Case 1: Two factor authentication (2FA) across Citrix ADC, GUI, CLI, API and SSH

Two-factor authentication is enabled and available across all Citrix ADC management access for GUI, API,and SSH.

Case 2: Two factor authentication is supported on external authentication servers such as LDAP, RADIUS, Active Directory and TACACS

You can configure two-factor authentication on the following external authentication servers for first-level and second-level user authentication.

  • RADIUS
  • LDAP
  • Active Directory
  • TACACS

Case 3: External authentication enabled and local authentication disabled for system users

You begin the authentication process by enabling the external authentication option and disabling local authentication for system users.

localized image

Complete the following steps by using the command line interface:

  1. Add authentication action for LDAP policy
  2. Add authentication policy for LDAP policy
  3. Add authentication action for RADIUS policy
  4. Add authentication policy for RADIUS policy
  5. Add authentication login schema
  6. Add and bind authentication policy label to RADIUS server
  7. Bind system global authentication for LDAP policy
  8. Disable local authentication in system parameter

Add authentication action for LDAP server (first level authentication)

At the command prompt, type:

add authentication ldapaction <ldap action name> -serverip <IP> -ldapbase <> -ldapbinddn <binddn name> -ldapbinddnpassword <password>-ldaploginname <loginname> -groupattrname <grp attribute name> -subAttributename <string>-ssoNameAttribute <string>

Example:

add authentication ldapaction ldapact1 -serverip 1.1.1.1 -ldapbase base -ldapbindDn name -ldapbindDNpassword password -ldapLoginName name -groupAttrName name -subAttributeName name -ssoNameAttribute name

Add authentication policy for LDAP server (first level authentication)

At the command prompt, type: add authentication policy <ldap policy name> -rule true -action <ldap action name>

Example: add authentication policy pol1 -rule true -action ldapact1

Add authentication action for RADIUS server (second level authentication)

At the command prompt, type:

add authentication radiusaction <rad action name> -serverip <rad server ip> -radkey <key> -radVendorID <ID >-radattributetype <rad attribute type>

Example:

add authentication radiusaction radact1 -serverip 1.1.1.1 -radkey 123 -radVendorID 1234 -radAttributeType 2

Add authentication policy for RADIUS server (second level authentication)

At the command prompt, type:

add authentication policy <radius policy name> -rule true -action <rad action name>

Example:

add authentication policy radpol11 -rule true -action radact11

Add authentication login schema

You can use the “SingleAuth.xml” login schema for system users to provide the second password for the Citrix ADC appliance. At the command prompt, type:

add authentication loginSchema <login schema name> -authenticationSchema LoginSchema/SingleAuth.xml

Example:

add authentication loginSchema radschema -authenticationSchema LoginSchema/SingleAuth.xml

Add and bind authentication policy label to RADIUS server

At the command prompt, type:

add authentication policylabel <labelName> [-type ( AAATM_REQ | RBA_REQ )] [-comment <string>][-loginSchema <string>]

bind authentication policylabel <labelName> -policyName <string> -priority <positive_integer> [-gotoPriorityExpression <expression>][-nextFactor <string>]

Example:

add authentication policylabel label1 -type RBA_REQ -loginSchema radschema

bind authentication policylabel label1 -policyName rad_pol11 -priority 1

Bind authentication system global for LDAP policy

At the command prompt, type:

bind system global ldappolicy -priority <priority> -nextFactor <policy label name>

Example:

bind system global radpol11 -priority 1 -nextFactor label11

Disable local authentication in system parameter

At the command prompt, type:

set system parameter -localauth disabled

Case 4: External authentication enabled for system user with local authentication policy attached

In this scenario, the user is allowed to log on to the appliance using two-factor authentication with local authentication policy evaluation at the second level of user identification.

localized image

Complete the following steps by using the command line interface.

  1. Add authentication action for LDAP server
  2. Add authentication policy for LDAP policy
  3. Add local authentication policy
  4. Add authentication policy label
  5. Bind LDAP policy as system global
  6. Disable local authentication in system parameter

Add authentication action for LDAP server (first level authentication)

At the command prompt, type:

add authentication ldapaction <ldap action name> -serverip <IP> -ldapbase <> -ldapbinddn <binddn name> -ldapbinddnpassword <password>-ldaploginname <loginname> -groupattrname <grp attribute name> -subAttributename <string>-ssoNameAttribute <string>

Example:

add authentication ldapaction ldapact1 -serverip 1.1.1.1 -ldapbase base -ldapbindDn name -ldapbindDNpassword password -ldapLoginName name -groupAttrName name -subAttributeName name -ssoNameAttribute name –ssoNameAttribute name

Add authentication policy for LDAP server (first level authentication)

At the command prompt, type:

add authentication policy <ldap policy name> -rule true -action <ldap action name>

Example:

add authentication ldapaction ldapact1 -serverip 1.1.1.1 -ldapbase base -ldapbindDn name -ldapbindDNpassword password -ldapLoginName name -groupAttrName name -subAttributeName name -ssoNameAttribute name

Add local authentication policy for system users (second level authentication)

At the command prompt, type:

add authentication radiusaction <rad action name> -serverip <rad server ip> -radkey <key> -radVendorID <ID >-radattributetype <rad attribute type

Example:

add authentication radiusaction radact1 -serverip 1.1.1.1 -radkey 123 -radVendorID 1234 -radAttributeType 2

Add and bind authentication policy label

At the command prompt, type:

add authentication policylabel <labelName> [-type ( AAATM_REQ | RBA_REQ )] [-comment <string>][-loginSchema <string>] bind authentication policylabel <labelName> -policyName <string> -priority <positive_integer> [-gotoPriorityExpression <expression>][-nextFactor <string>]

Example:

add authentication policylabel label1 -type RBA_REQ -loginSchema radschema bind authentication policylabel label1 -policyName rad_pol11 -priority 1

Disable local authentication in system parameter

At the command prompt, type:

set system parameter -localauth disabled

Case 5: External authentication disabled and local authentication enabled for system user

If the user has “externalAuth” disabled, it indicates the user does not exist on the authentication server. User will not be authenticated with the external authenticated server even if user with same username exists on the external authenticated server. User will be authenticated locally.

localized image

To enable system user password and disable external authentication

At the command prompt, type the following:

add system user <name> <password> -externalAuth DISABLED

Example:

add system user user1 password1 –externalAuth DISABLED

Case 6: External authentication enabled and local authentication enabled for system users

To configure the appliance to authenticate system users using local password. If this authentication fails, the user is then authenticated using external authentication password on the external authentication servers at two levels.

localized image

To configure using command line interface, follow the steps given below:

  1. Add authentication action for LDAP server
  2. Add authentication policy for LDAP policy
  3. Add authentication action for RADIUS policy
  4. Add authentication policy for RADIUS policy
  5. Add authentication login schema
  6. Add authentication policy label
  7. Bind authentication policy label for login schema
  8. Bind authentication system global for RADIUS policy
  9. Bind authentication system global for LDAP policy

Add authentication action for LDAP server

At the command prompt, type:

add authentication ldapaction <ldap action name> -serverip <IP> -ldapbase <> -ldapbinddn <binddn name> -ldapbinddnpassword <password>-ldaploginname <loginname> -groupattrname <grp attribute name> -subAttributename <>-ssoNameAttribute <>

Example:

add authentication ldapaction ldapact1 -serverip 1.1.1.1 -ldapbase base -ldapbindDn name -ldapbindDNpassword password -ldapLoginName name -groupAttrName name -subAttributeName name -ssoNameAttribute name

Add authentication policy for LDAP policy

At the command prompt, type:

add authentication policy <policy name> --rule true -action <ldap action name>

Example:

add authentication policy pol1 -rule true -action ldapact1

Add authentication action for RADIUS server

At the command prompt, type:

add authentication radiusaction <rad action name> -serverip <rad server ip> -radkey <key> -radVendorID <ID >-radattributetype <rad attribute type>

Example:

add authentication radiusaction radact1 -serverip 1.1.1.1 -radkey 123 -radVendorID 1234 -radAttributeType 2

Add advanced authentication policy for RADIUS server

At the command prompt, type:

add authentication policy <policy name> -rule true -action <rad action name>

Example:

add authentication policy radpol11 -rule true -action radact11

Add authentication login schema

You can use the SingleAuth.xml login schema to display the login page and authenticate the system user at the second level authentication.

At the command prompt, type:

add authentication loginSchema <name> -authenticationSchema <string>

Example:

add authentication loginSchema radschema -authenticationSchema LoginSchema/SingleAuth.xml

Add and bind authentication policy label to RADIUS authentication policy for user login

At the command prompt, type:

add authentication policylabel <labelName> [-type ( AAATM_REQ | RBA_REQ )] [-comment <string>][-loginSchema <string>]

Example:

add authentication policylabel label1 -type RBA_REQ -loginSchema radschema bind authentication policylabel <labelName> -policyName <string> -priority <positive_integer> [-gotoPriorityExpression <expression>][-nextFactor <string>]

Example:

bind authentication policylabel label1 -policyName rad_pol11 -priority 1

Bind authentication policy global

At the command prompt, type:

bind system global [<policyName> [-priority <positive_integer>] [-nextFactor <string>] [-gotoPriorityExpression <expression>]]

Example:

bind system global radpol11 -priority 1 -nextFactor label11

Case 7: External authentication enabled for selected external users only

To configure selective external users with two-factor authentication as per the search filter configured in LDAP action while other system users are authenticated using single factor authentication.

To configure using command line interface, follow the steps given below:

  1. Add authentication action for LDAP server
  2. Add authentication policy for LDAP policy
  3. Add authentication action for RADIUS policy
  4. Add authentication policy for RADIUS policy
  5. Add authentication login schema
  6. Add authentication policy label
  7. Bind authentication policy label for login schema
  8. Bind authentication system global for RADIUS policy

Add authentication action for LDAP server

At the command prompt, type:

add authentication ldapaction <ldap action name> -serverip <IP> -ldapbase <> -ldapbinddn <binddn name> -ldapbinddnpassword <password>-ldaploginname <loginname> -groupattrname <grp attribute name> -subAttributename <>-ssoNameAttribute <>

Example:

add authentication ldapaction ldapact1 -serverip 1.1.1.1 -ldapbase base -ldapbindDn name -ldapbindDNpassword password -ldapLoginName name -groupAttrName name -subAttributeName name -ssoNameAttribute name

Add authentication policy for LDAP policy

At the command prompt, type:

add authentication policy <policy name> --rule true -action <ldap action name>

Example:

add authentication policy pol1 -rule true -action ldapact1

Add authentication action for RADIUS server

At the command prompt, type:

add authentication radiusaction <rad action name> -serverip <rad server ip> -radkey <key> -radVendorID <ID >-radattributetype <rad attribute type>

Example:

add authentication radiusaction radact1 -serverip 1.1.1.1 -radkey 123 -radVendorID 1234 -radAttributeType 2

Add advanced authentication policy for RADIUS server

At the command prompt, type:

add authentication policy <policy name> -rule true -action <rad action name>

Example:

add authentication policy radpol11 -rule true -action radact11

Add authentication login schema

You can use the SingleAuth.xml login schema to provide the login page for the appliance to authenticate a system user at second level of authentication.

At the command prompt, type:

add authentication loginSchema <name> -authenticationSchema <string>

Example:

add authentication loginSchema radschema -authenticationSchema LoginSchema/SingleAuth.xml

Add and bind authentication policy label to RADIUS authentication policy for user login

At the command prompt, type:

add authentication policylabel <labelName> [-type ( AAATM_REQ | RBA_REQ )] [-comment <string>][-loginSchema <string>]

Example:

add authentication policylabel label1 -type RBA_REQ -loginSchema radschema bind authentication policylabel <labelName> -policyName <string> -priority <positive_integer> [-gotoPriorityExpression <expression>][-nextFactor <string>]

Example:

bind authentication policylabel label1 -policyName rad_pol11 -priority

Bind authentication policy global

At the command prompt, type:

bind system global [<policyName> [-priority <positive_integer>] [-nextFactor <string>] [-gotoPriorityExpression <expression>]]

Example:

bind system global radpol11 -priority 1 -nextFactor label11

To configure without two-factor authentication for group users using search filter:

  1. Add authentication action for LDAP server
  2. Add authentication policy for LDAP server
  3. Bind authentication system global for LDAP server

Add authentication action for LDAP server

At the command prompt, type:

add authentication ldapaction <ldap action name> -serverip <IP> -ldapbase <> -ldapbinddn <binddn name> -ldapbinddnpassword <password>-ldaploginname <loginname> -groupattrname <grp attribute name> -subAttributename <>-searchFilter<>

Example:

add authentication ldapaction ldapact1 -serverip 1.1.1.1 -ldapbase base -ldapbindDn name -ldapbindDNpassword password -ldapLoginName name -groupAttrName name -subAttributeName name - searchFilter "memberOf=CN=grp4,CN=Users,DC=aaatm-test,DC=com"

Add authentication policy for LDAP server

At the command prompt, type:

add authentication policy <policy name> --rule true -action <ldap action name>

Example:

add authentication policy pol1 -rule true -action ldapact1

Bind authentication system global for LDAP policy

At the command prompt, type:

bind system global ldappolicy -priority <priority> -nextFactor <policy label name>

Example:

bind system global radpol11 -priority 1 -nextFactor label11

Display customized prompt message for two factor authentication

When you configure two factor password field with SingleAuth.xml file at /flash/nsconfig/loginschema/LoginSchema

Following is the snippet of SingleAuth.xml file where ‘SecondPassword:’ is the 2nd password field name which will be prompted to user to enter 2nd password.

<?xml version="1.0" encoding="UTF-8"?>
<AuthenticateResponse xmlns="http://citrix.com/authentication/response/1">
<Status>success</Status>
<Result>more-info</Result>
<StateContext/>
<AuthenticationRequirements>
<PostBack>/nf/auth/doAuthentication.do</PostBack>
<CancelPostBack>/nf/auth/doLogoff.do</CancelPostBack>
<CancelButtonText>Cancel</CancelButtonText>
<Requirements>
<Requirement><Credential><ID>login</ID><SaveID>ExplicitForms-Username</SaveID><Type>username</Type></Credential><Label><Text>singleauth_user_name</Text><Type>nsg-login-label</Type></Label><Input><AssistiveText>singleauth_please_supply_either_domain\username_or_user@fully.qualified.domain</AssistiveText><Text><Secret>false</Secret><ReadOnly>false</ReadOnly><InitialValue/><Constraint>.+</Constraint></Text></Input></Requirement>
<Requirement><Credential><ID>passwd</ID><SaveID>ExplicitForms-Password</SaveID><Type>password</Type></Credential><Label><Text>SecondPassword:</Text><Type>nsg-login-label</Type></Label><Input><Text><Secret>true</Secret><ReadOnly>false</ReadOnly><InitialValue/><Constraint>.+</Constraint></Text></Input></Requirement>
<Requirement><Credential><Type>none</Type></Credential><Label><Text>singleauth_first_factor</Text><Type>nsg_confirmation</Type></Label><Input/></Requirement>
<Requirement><Credential><ID>saveCredentials</ID><Type>savecredentials</Type></Credential><Label><Text>singleauth_remember_my_password</Text><Type>nsg-login-label</Type></Label><Input><CheckBox><InitialValue>false</InitialValue></CheckBox></Input></Requirement>
<Requirement><Credential><ID>loginBtn</ID><Type>none</Type></Credential><Label><Type>none</Type></Label><Input><Button>singleauth_log_on</Button></Input></Requirement>
</Requirements>
</AuthenticationRequirements>
</AuthenticateResponse>

Configuring two-factor authentication by using the Citrix ADC GUI

  1. Log onto Citrix ADC appliance.
  2. Go to System > Authentication > Advanced Policies > Policy.
  3. Click Add to create the first level authentication policy.
  4. In Create Authentication Policy page, set the following parameters.
    1. Name. Name of the policy
    2. Action Type. Select action type as LDAP, Active Directory, RADIUS, TACACS etc.
    3. Action. The authentication action (profile) to associate with the policy. You can choose an existing authentication action, or click the plus and create a new action of the proper type.
    4. Expression. Provide an advanced policy expression.
  5. Click Create and then Close.
    1. Expression. Provide an advanced policy expression.
  6. Click Create.
  7. Click Add to create the second level authentication policy.
  8. In the Create Authentication Policy page, set the follow parameters
    1. Name. Name of the policy
    2. Action Type. Select action type as LDAP, Active Directory, RADIUS, TACACS etc.
    3. Action. The authentication action (profile) to associate with the policy. You can choose an existing authentication action, or click the + icon to create an action of the proper type.
    4. Expression. Provide an advanced policy expression
  9. Click Create and then Close.
    1. Expression. Provide an advanced policy expression.
  10. Click Create.
  11. In the Authentication Policies page, click Global Binding.
  12. In the Create Global Authentication Policy Binding page, select the first level authentication policy and click Add Binding.
  13. In the Policy Binding page, select the authentication policy and set the following policy binding parameter.
    1. Next Factor. Select the second level authentication policy label.
  14. Click Bind and Close.

    localized image

  15. Click Done.
  16. Log on to the Citrix ADC appliance for the second level authentication. The user can now provide the second password. Only if both passwords are correct, the user is allowed to access the Citrix ADC appliance.

For more information about Configuring login schema, see Native OTP Support feature.