Configure nFactor for Citrix Gateway with WebAuth in first factor and LDAP with password change in second factor

The following high-level steps are involved in configuring nFactor for Citrix Gateway with WebAuth in first factor and LDAP with password change in the second factor.

1. Configure an authentication virtual server with zero IP. A certificate binding to this is not mandatory.

2. Configure an authentication profile with the authentication virtual server name.

3. Configure a VPN virtual server.

4. Set the authentication profile on this VPN virtual server.

5. Configure a WebAuth action and policy.

6. Configure LDAP action and policy.

7. Configure a login schema action for LDAP factor.

8. Configure a policy label for LDAP factor using the login schema action for LDAP factor.

9. Bind LDAP policy to the LDAP policy label.

10. Bind WebAuth policy to the authentication virtual server with LDAP policy label as the next factor.

How it works

  • User enters the Citrix Gateway FQDN in browser and is redirected to the /logon/logonpoint/tmindex.html page.

  • This page displays the login schema that is bound to an authentication virtual server. If there is no login schema bound to an authentication virtual server (like in our configuration), then a default schema is displayed.

  • User enters the credentials for first factor, which in this case is WebAuth.

  • Citrix Gateway checks the WebAuth action and contacts the WebAuth server. It sends HTTP request mentioned in the parameter fullReqExpr to WebAuth server. If the webAuth server’s response satisfies the expression mentioned in successRule parameter of WebAuth action, then this policy passes.

  • Now Citrix Gateway moves to the second factor. It checks the configuration of Policy label LDAP_factor that is bound as next factor. Since there is a loginSchema mentioned in this policy label, Citrix Gateway sends that XML schema to the Client.

  • Client receives the schema. Client enters the LDAP credentials for second factor of authentication.

  • Citrix Gateway tries to reach the LDAP server and validates if the client credentials are correct. If they are correct, authentication phase completes and user logs in to the configured VPN mode.

The following figure displays an nFactor authentication sequence in which the first factor is WebAuth and second factor is LDAP.

Nfactor-auth-sequence

Configuration by using the CLI

1. Configure an authentication virtual server.

add authentication vserver auth1 ssl

In the GUI, navigate to Security > AAA - Application traffic > Virtual Server and click Add.

Add auth virtual server

2. Configure an authentication profile.

add authnProfile auth_profile –authnVsname auth1

In the GUI, navigate to Security > AAA - Application traffic > Authentication profile and click Add.

Create auth profile

3. Configure a VPN virtual server.

add vpn vserver vpn1 ssl 10.1.1.1 443

add ssl certkey ckp –cert test.cer –key test.key

bind ssl vserver vpn1 –certKey ckp  

Navigate to Citrix Gateway > Virtual Server and click Add.

Add vpn virtual server

Once the VPN virtual server is created, bind the certificate on the same.

Set the authentication Profile on the VPN virtual server

set vpn vserver vpn1 –authnProfile auth_profile

set auth profile

4. Configure a WebAuth action and Policy.

Navigate to Appexpert > Expression > Advanced Expression.

Configure webauth policy

add policy expression post_data "\"myusername=\" +

http.REQ.BODY(3000).SET_TEXT_MODE(IGNORECASE).AFTER_STR(\"login=\").BEFORE_STR(\"&\") + \"&mypassword=\" +

http.REQ.BODY(3000).SET_TEXT_MODE(IGNORECASE).AFTER_STR(\"passwd=\")"

Create expression

add policy expression length_post_data "(\"myusername=\" +

http.REQ.BODY(1000).SET_TEXT_MODE(IGNORECASE).AFTER_STR(\"login=\").BEFORE_STR(\"&\") + \"&mypassword=\" +

\http.REQ.BODY(1000).SET_TEXT_MODE(IGNORECASE).AFTER_STR(\"passwd=\")).length"

Nfactor configuration by using the CLI:

add authentication webAuthAction webAuth_action -serverIP 10.102.39.132 -serverPort 443 -fullReqExpr q{"POST /customAuth.aspx HTTP/" + http.req.version.major + "." + http.req.version.minor + "\r\nAccept: */*\r\nHost: 10.102.39.132\r\nUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)\r\nContent-Type: application/x-www-form-urlencoded\r\n" + "Content-Length: " + length_post_data + "\r\nConnection: Keep-Alive\r\n\r\n" + post_data} -scheme https -successRule "http.RES.STATUS.EQ(200)"

add authentication policy webAuth_policy –rule TRUE –action webAuth_action

The webAuth action configured above uses two policy expressions. One policy expression (post_data) creates the POST body and the other (length_post_data) calculates the length of the POST body, which is used to populate the Content-Length header in the POST request.

The policy expression that creates the POST body parses the login request and extracts the user name and password entered by the user. It then creates the POST body in the format that the WebAuth server expects, using the user name password extracted from the login request.

Finally the WebAuth action creates below request, which will be sent to the WebAuth server.

POST /customAuth.aspx HTTP/1.1
Accept: */*
Host: 10.102.39.132
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Content-Type: application/x-www-form-urlencoded
Content-Length:43
Connection: Keep-Alive

myusername=test_user&mypassword=test_passwd

5. Configure LDAP Action and Policy for password change.

add authentication ldapAction ldap_action -serverIP 10.102.39.133 -serverPort 636 -secType SSL -ldapBase "dc=domain,dc=com" -ldapBindDn administrator -ldapBindDnPassword password -ldapLoginName samAccountName -passwdChange ENABLED
add authentication policy ldap_policy –rule TRUE –action ldap_action

The LDAP action is configured with –passwdChange ENABLED which enables user initiated Change password after VPN login.

6. Configure a LoginSchema action for LDAP factor.

add authentication loginSchema LDAP_schema -authenticationSchema /nsconfig/loginschema/LoginSchema/SingleAuth.xml

As the LDAP factor requires a user name and a password from the end user, hence the Login form that is displayed to the end user must show a user name and password field.

Citrix ADC has a few default LoginSchema XMLs which are present at /nsconfig/loginschema/LoginSchema location on the NetScaler shell. You can use one of the default LoginSchema XMLs present in the above location.

7. Configure a policy label for LDAP factor using the LoginSchema action for LDAP factor:

add authentication policylabel LDAP_factor -loginSchema LDAP_schema

8. Bind LDAP Policy to the LDAP policy label.

bind authentication policylabel LDAP_factor –policyName ldap_policy –priority 10

9. Bind WebAuth policy to authentication virtual server with LDAP policy label as next factor.

bind authentication vserver auth1 –policy webAuth_policy –nextFactor LDAP_factor –priority 10

The above nFactor configuration can also be done using nFactor visualizer in Citric ADC that is available starting from 13.0 firmware version.

Configuration by using the nFactor Visualizer

representation of the config in nfactor visualizer

The first factor here is Webauth followed by LDAP with password change option being enabled.

1. Navigate to Security > AAA-Application Traffic > nFactor Visualizer > nFactor Flow and click Add.

2. Click + sign to add the nFactor flow.

Add nFactor flow

3. Add a factor. This name that you enter for this factor is the name of the nFactor flow.

Name for nFactor flow

4. Click Add Policy to add the Webauth policy and Webauth action/server.

Click add policy

Choose a policy

Create auth policy

5. Click the green + sign to add the next Factor that is LDAP authentication with password change option enabled.

Add next factor that is LDAP

6. Click Add Schema to add the login schema for LDAP authentication.

Add schema for LDAP auth

7. Click Add Policy to add the LDAP authentication policy and LDAP action/server.

Add policy for LDAP auth

To create LDAP action/server, refer to the article https://support.citrix.com/article/CTX219939.

8. Once both the factors are configured, you must bind the flow to the authentication, authorization, and auditing virtual server.

Click bind to auth server

select the factor and bind to auth server

Debugging – Logs and counters

The logs are seen after a successful login with WebAuth and LDAP. To see most of the following logs, set the audit log level to ALL, so that it displays the debug logs also.

set audit syslogparams –loglevel ALL

Note: The timestamps are removed from the logs for brevity.

Sample logs

The following counters are incremented after a successful login with WebAuth and LDAP.

  • pcp_hits authn(webAuth_policy)
  • aaa_tot_webauth_primary_auth
  • aaa_tot_webauth_prim_auth_success
  • aaa_tot_webauth_prim_succ_check_thru
  • pcp_hits authn(webAuth_policy)
  • pcp_hits authn(ldap_policy)
  • aaa_auth_succ

Configure nFactor for Citrix Gateway with WebAuth in first factor and LDAP with password change in second factor