Citrix ADC

Configuring nFactor authentication

You can configure multiple authentication factors using the nFactor configuration. The nFactor configuration is supported only in Citrix ADC Advanced and Premium editions.

Methods to configure nFactor

You can configure nFactor authentication by one of the following methods:

  • nFactor Visualizer: nFactor visualizer enables you to easily link factors or policy labels together in a single pane and also change the linking of the factors in the same pane. You can create an nFactor flow using the visualizer and bind that flow to an authentication, authorization, and auditing virtual server. For details about nFactor Visualizer and an example nFactor configuration using the visualizer, see nFactor Visualizer for simplified configuration.

  • Citrix ADC GUI: For details, see section Configuration elements involved in nFactor configuration.

  • Citrix ADC CLI: For a sample snippet on nFactor configuration using the Citrix ADC CLI, see Sample snippet on nFactor configuration by using the Citrix ADC CLI.

Important: This topic contains details about configuring nFactor by using the Citrix ADC GUI.

Configuration elements involved in nFactor configuration

The following elements are involved in configuring nFactor. For detailed steps, refer to the appropriate sections in this topic.

Configuration element Tasks to be performed
AAA virtual server Create a AAA virtual server
  Bind portal theme to AAA virtual server
  Enable client certificate authentication
Login schema Configure a login schema profile
  Create and bind a login schema policy
Advanced authentication policies Create advanced authentication policies
  Bind first factor advanced authentication policy to Citrix ADC AAA virtual server
  Use extracted LDAP groups to select the next authentication Factor
Authentication policy label Create authentication policy label
  Bind authentication policy label
nFactor for Citrix Gateway Create authentication profile to link a Citrix ADC AAA virtual server with Citrix Gateway virtual server
  Configure SSL parameters and CA certificate for Citrix Gateway
  Configure Citrix Gateway traffic policy for nFactor single sign-on to StoreFront

How nFactor works

When a user connects to the authentication, authorization, and auditing or Citrix Gateway virtual server, the sequence of events that occur are as follows:

  1. If forms-based authentication is used, the login schema bound to the authentication, authorization, and auditing virtual server is displayed.

  2. Advanced authentication policies bound to the authentication, authorization, and auditing virtual server are evaluated.
    • If the advanced authentication policy succeeds, and if the next factor (authentication policy label) is configured, the next factor is evaluated. If Next Factor is not configured, then authentication is complete and successful.
    • If the advanced authentication policy fails, and if Goto Expression is set to Next, then the next bound advanced authentication policy is evaluated. If none of the advanced authentication policies succeed, then authentication fails.
  3. If the next factor authentication policy label has a Login Schema bound to it, it is displayed to the user.
  4. The advanced authentication policies bound to the next factor authentication policy label are evaluated.
    • If the Advanced authentication policy succeeds, and if the next factor (authentication policy label) is configured, the next factor is evaluated.
    • If Next Factor is not configured, then authentication is complete and successful.
  5. If the Advanced authentication policy fails, and if Goto Expression is Next, then the next bound advanced authentication policy is evaluated.

  6. If the policies succeed, then authentication fails.

Authentication, authorization, and auditing virtual server

To use nFactor with Citrix Gateway, you first configure it on an authentication, authorization, and auditing virtual server. Then you later link the authentication, authorization, and auditing virtual server to the Citrix Gateway virtual server.

Create authentication, authorization, and auditing Virtual Server

  1. If the Authentication, authorization, and auditing feature is not already enabled, navigate to, Security > AAA – Application Traffic, and right-click to enable the feature.

    Enable feature

  2. Navigate to Configuration > Security > AAA - Application Traffic > Virtual Servers.

    Virtual server

  3. Click Add to create an authentication virtual server.

    Add virtual server

  4. Enter the following information and click OK.

    Parameter name Parameter Description
    Name Name for the authentication, authorization, and auditing virtual server.
    IP address Type Change the IP address Type to Non Addressable if this virtual server is used only for Citrix Gateway.

    Configure virtual server

  5. Under Certificate, select No Server Certificate.

    Server certificate

  6. Click the text, Click to select to select the server certificate.

    Select server certificate

  7. Click the radio button next to a certificate for the authentication, authorization, and auditing Virtual Server, and click Select. The chosen certificate doesn’t matter because this server is not directly accessible.

    Select server certificate2

  8. Click Bind.

    Bind certificate

  9. Click Continue to close the Certificate section.

    Complete certificate details

  10. Click Continue.

    Complete certificate details2

Bind the portal theme to the authentication, authorization, and auditing virtual server

  1. Navigate to Citrix Gateway > Portal Themes, and add a theme. You create the theme under Citrix Gateway, and then later bind it to the authentication, authorization, and auditing virtual server.

    Portal theme

  2. Create a theme based on the RfWebUI template theme.

    Create portal theme

  3. After adjusting the theme as desired, at the top of the portal theme editing page, click Click to Bind and View Configured Theme.

    Bind portal theme

  4. Change the selection to Authentication. From the Authentication Virtual Server Name drop-down menu, select the authentication, authorization, and auditing virtual server, and click Bind and Preview and close the preview window.

    Preview binding

Enable the client certificate authentication

If one of your authentication factors is the client certificate, then you must perform some SSL configuration on the authentication, authorization, and auditing virtual server:

  1. Navigate to Traffic Management > SSL > Certificates > CA Certificates, and install the root certificate for the issuer of the client certificates. Root certificates do not have a key file.

    CA certificate1

    CA certificate2

  2. Navigate to Traffic Management > SSL > Change advanced SSL settings.

    SSL settings

    1. Scroll down to check whether Default Profile is ENABLED. If yes, then you must use an SSL Profile to enable Client Certificate Authentication. Otherwise, you can enable Client Certificate Authentication directly on the authentication, authorization, and auditing virtual server in the SSL Parameters section.
  3. If default SSL Profiles are not enabled:

    1. Navigate to Security > AAA - Application > Virtual Servers, and edit an existing authentication, authorization, and auditing virtual server.

    SSL profile

    1. On the left, in the SSL Parameters section, click the pencil icon.

    Edit SSL profile

    1. Check the box next to Client Authentication.

    2. Make sure Optional is selected in the Client Certificate drop-down menu, and click OK.

    Optional client certificate

  4. If Default SSL Profiles are enabled, then create an SSL Profile with Client Authentication enabled:

    1. On the left menu, expand System, and click Profiles.

    2. On the top right, switch to the SSL Profile tab.

    3. Right-click the ns_default_ssl_profile_frontend profile, and click Add. This copies settings from the default profile.

    4. Give the Profile a name. The purpose of this profile is to enable Client Certificates.

    5. Scroll down and find the Client Authentication check box. Check the box.

    6. Change the Client Certificate drop-down menu to OPTIONAL.

    7. Copying the default SSL Profile does not copy the SSL Ciphers. You must redo them.

    8. Click Done when done creating the SSL Profile.

    9. Navigate to Security > AAA – Application Traffic > Virtual Servers, and edit an authentication, authorization, and auditing virtual server.

    10. Scroll down to the SSL Profile section and click the pencil.

    11. Change the SSL Profile drop-down menu to the profile that has Client Certificates enabled. Click OK.

    12. Scroll down this article until you reach the instructions to bind the CA certificate.

  5. On the left, in the Certificates section, click where it says No CA Certificate.

    No CA certificate

  6. Click the text, Click to select.

    Select CA certificate

  7. Click the radio button next to the root certificate for the issuer of the client certificates, and click Select.

    Root certificate

  8. Click Bind.

    Bind a certificate

Login schema XML file

Login Schema is an XML file providing the structure of forms-based authentication logon pages.

nFactor implies multiple authentication factors that are chained together. Each Factor can have different Login Schema pages/files. In some authentication scenarios, users can be presented with multiple logon screens.

Configure a login schema profile

To configure a Login Schema Profile:

  1. Create or Edit a Login Schema .XML file based on your nFactor design.
  2. Navigate to Security > AAA - Application Traffic > Login Schema.

    Login schema

  3. On the right, switch to the Profiles tab, and click Add.

    Profiles tab

  4. In the Authentication Schema field, click the pencil icon.

    Edit schema

  5. Click the LoginSchema folder to see the files in it.

    Login schema list

  6. Select one of the files. You can see a preview on the right. The labels can be changed by clicking the Edit button on the top right.

    Edit schema

  7. When you Save the changes, a new file is created under /nsconfig/LoginSchema.

    Save schema

  8. On the top right, click Select.

    Select a schema

  9. Give the Login Schema a name, and click More.

    Name schema

  10. Use the user name and the password entered in the login schema for single sign-on (SSO) to a back-end service, for example StoreFront.

    You can use the credentials entered in the login schema as your Single Sign-On credentials by using any of the following methods.

    • Click More at the bottom of the Create Authentication Login Schema page and select Enable Single Sign On Credentials.

    • Click More at the bottom of the Create Authentication Login Schema page and enter unique values for the user credential index and password credential index. These values can be between 1 and 16. Later you reference these index values in a traffic policy/profile by using the expression AAA.USER.ATTRIBUTE(#).

    Create authentication login schema

  11. Click OK to create the login schema profile.

    Note: If you edit the login schema file (.xml) later, for changes to be reflected you must edit the login schema profile and select the login schema (.xml) file again.

Create and bind a login schema policy

To bind a login schema profile to an authentication, authorization, and auditing virtual server, you must first create a login schema policy. Login schema policies are not required when binding the login schema profile to an authentication policy label, as detailed later.

To create and bind a login schema policy:

  1. Navigate to Security > AAA - Application Traffic > Login Schema.

    Create login schema

  2. On the Policies tab, click Add.

    Policies tab

  3. Use the Profile drop-down menu to select the Login Schema Profile you already created.

  4. Enter an advanced policy expression in the Rule box, and click Create.

    Rule

  5. On the left, navigate to Security > AAA - Application Traffic > Virtual Servers, and edit an existing authentication, authorization, and auditing virtual server.

    Virtual server

  6. In the Advanced Settings column, click Login Schemas.

    Login schema advanced settings

  7. In the Login Schemas section, click the text No Login Schema.

    No login schema

  8. Click the text, Click to select.

    Select No login schema

  9. Click the radio button next to the login schema policy, and click Select. Only login schema policies appear in this list. Login schema profiles (without a policy) do not appear.

    Bin login schema

  10. Click Bind.

Advanced authentication policies

Authentication policies are a combination of policy expression, and policy action. If the expression is true, then evaluate the authentication action.

Create advanced authentication policies

Authentication policies are a combination of policy expression and policy action. If the expression is true, then evaluate the authentication action.

You need authentication actions/servers (for example LDAP, RADIUS, CERT, SAML, and so forth) When creating an advanced authentication policy, there’s a plus (Add) icon that lets you create authentication actions/servers.

Or you can create authentication actions (servers) before creating the advanced authentication policy. The authentication servers are located under Authentication > Dashboard. On the right, click Add and select a Server Type. The instructions for creating these Authentication Servers are not detailed here. See the Authentication – NetScaler 12 / Citrix ADC 12.1 procedures.

To create an Advanced Authentication Policy:

  1. Navigate to Security > AAA - Application Traffic > Policies > Authentication > Advanced Policies > Policy

    Advanced policy 1

  2. In the details pane do one of the following:
    • To create a policy, click Add.
    • To modify an existing policy, select the policy, and then click Edit.
  3. In the Create Authentication Policy or Configure Authentication Policy dialog box, type or select values for the parameters.

    Create an advanced policy

    • Name - The policy name. Cannot be changed for a previously configured policy.
    • Action Type - The policy type: Cert, Negotiate, LDAP, RADIUS, SAML, SAMLIDP, TACACS, or WEBAUTH.
    • Action - The authentication action (profile) to associate with the policy. You can choose an existing authentication action, or click the plus and create an action of the proper type.
    • Log Action - The audit action to associate with the policy. You can choose an existing audit action, or click the plus and create an action. You don’t have any Actions configured, or to create an action, click Add and complete the steps.
    • Expression - The rule that selects connections to which you want to apply the action that you specified. The rule can be simple (“true” selects all traffic) or complex. You enter expressions by first choosing the type of expression in the leftmost drop-down list beneath the Expression window, and then by typing your expression directly into the expression text area, or by clicking Add to open Add Expression dialog box and using the drop-down lists in it to construct your expression.)
    • Comment - You can type a comment that describes the type of traffic that this authentication policy applies to. Optional.
  4. Click Create and then click Close. If you created a policy, that policy appears in the Authentication Policies and Servers page.

Create additional advanced authentication policies as required based on your nFactor design.

Bind first factor advanced authentication policy to authentication, authorization, and auditing

You can directly bind advanced authentication policies for the first Factor the authentication, authorization, and auditing virtual server. For the next factors, you must bind the advanced authentication policies to the authentication policy labels.

  1. Navigate to Security > AAA - Application Traffic > Virtual Servers. Edit an existing virtual server.

Edit virtual server

  1. On the left, in the Advanced Authentication Policies section, click No Authentication Policy.

    No authentication policy

  2. In Select Policy, click the text, Click to select.

    Select no authentication

  3. Click the radio button next to the Advanced Authentication Policy, and click Select.

    lSelect option

  4. In the Binding Details section, the Goto Expression determines what happens next if this advanced authentication policy fails.
    • If Goto Expression is set to NEXT, then the next advanced authentication policy bound to this authentication, authorization, and auditing Virtual Server is evaluated.
    • If Goto Expression is set to END, or if there are no more advanced authentication policies bound to this authentication, authorization, and auditing virtual server, then authentication is completed and marked as failed.

    Bind policy

  5. In Select Next Factor, you can select can point to an authentication policy label. The next factor is evaluated only if the advanced authentication policy succeeds. Finally, click Bind.

    Bind policy 2

Use extracted LDAP groups to select the next authentication Factor

You can use extracted LDAP groups to select the next authentication factor without actually authentication with LDAP.

  1. When creating or editing an LDAP server or LDAP action, clear the Authentication check box.
  2. In Other Settings, select appropriate values in Group Attribute and Sub Attribute Name.

Authenticate the policy label

When you bind an advanced authentication policy to the authentication, authorization, and auditing virtual server and have selected a next factor, the next factor is evaluated only if the advanced authentication policy succeeds. The next factor that is evaluated is an authentication policy label.

The authentication policy label specifies a collection of authentication policies for a particular factor. Each policy label corresponds to a single factor. It also specifies the login form that must be presented to the user. The authentication policy label must be bound as the next factor of an authentication policy or of another authentication policy label.

Note: Every factor does not need a login schema. Login schema profile is required only if you are binding a login schema to an Authentication Policy Label.

Create an authentication policy label

A policy label specifies the authentication policies for a particular factor. Each policy label corresponds to a single factor. The policy label specifies the login form that must be presented to the user. The policy label must be bound as the next factor of an authentication policy or of another authentication policy label. Typically, a policy label includes authentication policies for a specific authentication mechanism. However, you can also have a policy label that has authentication policies for different authentication mechanisms.

  1. Navigate to Security > AAA – Application Traffic > Policies > Authentication > Advanced Policies > Policy Label.

    Policy label1

  2. Click the Add button.

    Add Policy label1

  3. Complete the following fields to create an authentication policy label:

    a) Enter the Name for the new authentication policy label.

    b) Select the Login Schema associated with authentication policy label. IF you do not want to display anything to the user, you can select a login schema profile that is set to no schema (LSCHEMA_INT).

    c) Click Continue.

    Continue

  4. In the Policy Binding section, click where it says Click to select.

  5. Select the authentication policy that evaluates this factor.

    Bind policy label

  6. Complete the following fields:

    a) Enter the Priority of the policy binding.

    b) In Goto Expression select NEXT if you want to bind more advanced authentication policies to this factor or select END.

    Expression

  7. In Select Next Factor, if you want to add another factor, click to select and bind the next authentication policy label (next factor). If you do not select the next factor, and if this advanced authentication policy succeeds, then authentication is successful and complete.
  8. Click Bind.

  9. You can click Add Binding to add more advanced authentication policies to this policy label (factor). Click Done upon completion.

    Add binding

Bind authentication policy label

After you create the policy label, you bind it to an existing advanced authentication policy binding to chain the factors together.

You can select the next factor when editing an existing authentication, authorization, and auditing virtual server that has an advanced authentication policy bound or when editing a different policy label to include the next factor.

To edit an existing authentication, authorization, and auditing virtual server that has an advanced authentication policy already bound to it

  1. Navigate to Security > AAA – Application Traffic > Virtual Servers. Select the virtual server and click Edit.

    Edit virtual server

  2. On the left, in the Advanced Authentication Policies section, click an existing authentication policy binding.

    Edit virtual server 2

  3. In Select Action, click Edit Binding.

    Select action

  4. In Select Next Factor, click, and select an existing authentication policy label (next factor).

    Select next factor

  5. Click Bind. You can see the next factor on the extreme right.

    Bind next factor

To add a policy label next factor to a different policy label

  1. Navigate to Security > AAA – Application Traffic > Policies > Authentication > Advanced Policies > PolicyLabel. Select a different policy label and click Edit.

    Add policy label

  2. In Select Action, click Edit Binding.

    Edit action

  3. In Binding Details > Select Next Factor, click to select the next factor.
  4. Choose the policy label for the next factor and click the Select button.

    Edit binding

  5. Click Bind. You can see the next factor on the right.

    Bind

nFactor for Citrix Gateway

To enable nFactor on the Citrix Gateway, an authentication profile must be linked to an authentication, authorization, and auditing virtual server.

  1. Navigate to Citrix Gateway > Virtual Servers and select and existing gateway virtual server to edit.

    Edit gateway server

  2. In Advanced Settings, click Authentication Profile.

  3. Click Add under Authentication Profile

    Add authentication profile

  4. Enter the name for the authentication profile and click where it says Click to select.

    Name authentication profile

  5. In Authentication Virtual Server, select an existing server that has login schema, advanced authentication policy, and authentication policy labels configured. You can also create an authentication virtual server. The authentication, authorization, and auditing virtual server does not need an IP address. Click Select.

    Select virtual server

  6. Click Create.

    Create profile

  7. Click OK to close the Authentication Profile section.

    Close profile creation

Note: If you have configured one of the factors as client certificates, then must configure the SSL parameters and CA certificate.

After you have completed linking the authentication profile to an authentication, authorization, and auditing virtual server, and when you browse to your Citrix Gateway, you can view the nFactor authentication screens.

Configure SSL parameters and CA certificate

If one of the authentication factors is a certificate, then you must perform some SSL configuration on the Citrix Gateway virtual server.

  1. Navigate to Traffic Management > SSL > Certificates > CA Certificates, and install the root certificate for the issuer of the client certificates. Certificate Authority certificates do not need key files.

    If default SSL Profiles are enabled, then you have already created an SSL Profile that has Client Authentication enabled.

  2. Navigate to Citrix Gateway > Virtual Servers, and edit an existing Citrix Gateway virtual server that is enabled for nFactor.

    • If default SSL Profiles are enabled, click the edit icon.
    • In the SSL Profile list, select the SSL Profile that has Client Authentication enabled and set to OPTIONAL.

    • If default SSL Profiles are not enabled, click the edit icon.
    • Check the Client Authentication check box.
    • Ensure that Client Certificate is set to Optional
  3. Click OK.

  4. In Certificates section, click No CA Certificate.

  5. In Select CA Certificate, click to select and select the root certificate for the issuer of the client certificates.

  6. Click Bind.

Note: You might have to also bind any Intermediate CA Certificates that issued the client certificates.

Configure Citrix Gateway traffic policy for nFactor single sign-on to StoreFront

For single sign-on to StoreFront, nFactor defaults to using the last entered password. If LDAP is not the last entered password, then you must create a traffic policy/profile to override the default nFactor behavior.

  1. Navigate to Citrix Gateway > Policies > Traffic.

    Traffic policy

  2. In the Traffic Profiles tab, click Add.

    Add traffic policy

  3. Enter a name for the traffic profile. Select the HTTP protocol. In Single Sign-on, select ON.

    Add traffic policy2

  4. In the SSO Expression, enter a AAA.USER.ATTRIBUTE(#) expression that matches the indexes specified in the login schema and click Create.

    Note AAA.USER expression is now implemented to replace the deprecated HTTP.REQ.USER expressions.

    Add traffic policy3

  5. Click Traffic Policies tab, and click Add.

    Enter a name for the policy. Select the traffic profile created in the previous step. In Expression, enter an advanced expression, for example true. Click Create.

    Add traffic policy4

  6. Navigate to Citrix Gateway > Citrix Gateway Virtual Server.

    • Select and existing virtual server and click Edit.
    • In the Policies section, click the + sign.
    • In Choose Policy, select Traffic.
    • In Choose Type, select Request.
    • Select the traffic policy that you have created and then click Bind.

    Add traffic policy5

Sample snippet on nFactor configuration by using the Citrix ADC CLI

To understand the step-wise configurations for nFactor authentication, let us consider a two-factor authentication deployment where the first factor is LDAP authentication and the second factor is RADIUS authentication.

This sample deployment requires the user to log in to both factors using a single login form. Therefore, we define a single login form that accepts two passwords. The first password is used for LDAP authentication and the other for RADIUS authentication. Here are the configurations that are performed:

  1. Configure the load balancing virtual server for authentication

    add lb vserver lbvs89 HTTP 1.136.19.55 80 -AuthenticationHost auth56.aaatm.com -Authentication ON

  2. Configure the authentication virtual server.

    add authentication vserver auth56 SSL 10.106.30.223 443 -AuthenticationDomain aaatm.com

  3. Configure the login schema for the login form and bind it to a login schema policy.

    add authentication loginSchema login1 -authenticationSchema login-2passwd.xml -userCredentialIndex 1 -passwordCredentialIndex 2

    Note:

    Use the user name and one of the passwords entered in the login schema for single sign-on (SSO) to a back-end service, for example StoreFront. You can reference these index values in the traffic action by using the expression AAA.USER.ATTRIBUTE(#). The values can be between 1 and 16.

    Alternatively, you can use the credentials entered in the login schema as your Single Sign-On credentials by using the following command.

    add authentication loginSchema login1 -authenticationSchema login-2passwd.xml -SSOCredentials YES
    
     add authentication loginSchemaPolicy login1 -rule true -action login1
    <!--NeedCopy-->
    
  4. Configure a login schema for the pass-through and bind it to a policy label

    add authentication loginSchema login2 -authenticationSchema noschema
    
    add authentication policylabel label1 -loginSchema login2
    <!--NeedCopy-->
    
  5. Configure the LDAP and RADIUS policies.

    add authentication ldapAction ldapAct1 -serverIP 10.17.103.28 -ldapBase "dc=aaatm, dc=com" -ldapBindDn administrator@aaatm.com -ldapBindDnPassword 81qw1b99ui971mn1289op1abc12542389b1f6c111n0d98e1d78ae90c8545901 -encrypted -encryptmethod ENCMTHD\_3 -ldapLoginName samAccountName -groupAttrName memberOf -subAttributeName CN
    
    add authentication Policy ldap -rule true -action ldapAct1
    
    add authentication radiusAction radius -serverIP 10.101.14.3 -radKey n231d9a8cao8671or4a9ace940d8623babca0f092gfv4n5598ngc40b18876hj32 -encrypted -encryptmethod ENCMTHD\_3 -radNASip ENABLED -radNASid NS28.50 -radAttributeType 11 -ipAttributeType 8
    
    add authentication Policy radius -rule true -action radius
    <!--NeedCopy-->
    
  6. Bind the login schema policy to the authentication virtual server

    bind authentication vserver auth56 -policy login1 -priority 1 -gotoPriorityExpression END
    <!--NeedCopy-->
    
  7. Bind the LDAP policy (first factor) to the authentication virtual server.

    bind authentication vserver auth56 -policy ldap -priority 1 -nextFactor label1 -gotoPriorityExpression next
    <!--NeedCopy-->
    
  8. Bind the RADIUS policy (second factor) to the authentication policy label.

    bind authentication policylabel label1 -policyName radius -priority 2 -gotoPriorityExpression end
    <!--NeedCopy-->