Configure periodic Endpoint Analysis scan as a factor in nFactor authentication
On Citrix Gateway, Endpoint Analysis (EPA) can be configured to check if a user device meets certain security requirements and accordingly allow access of internal resources to the user. The Endpoint Analysis plug-in downloads and installs on the user device when users log on to Citrix Gateway for the first time. If a user does not install the Endpoint Analysis plug-in on the user device, user cannot log on with the Citrix Gateway plug-in.
For understanding EPA in nFactor concepts, see, Concepts, and Entities Used for EPA in nFactor Authentication Through NetScaler.
In classic policy, periodic EPA was configured as part of session policy under
vpn session action. Under Advanced Policy Infrastructure, it can be linked to nFactor.
In this topic, EPA scan is used as a continuous check in a nFactor or multifactor authentication.
User tries to connect to Citrix Gateway virtual IP address. A simple login page with user name and password field is rendered to user to provide login credentials. With these credentials, LDAP or AD based authentication is performed at the back end. If successful, user is presented with a pop up to authorize EPA scan. Once user authorizes, EPA scan is performed and based on the success or failure of user client settings, user is provided access.
If the scan is successful, EPA scan is performed periodically to ascertain that the security requirements configured are still met. If the EPA scan fails during any such check, the session is terminated.
It is assumed that the following configurations are in place:
- VPN virtual server/gateway and authentication virtual server configurations
- LDAP server configurations and associated policies
The required policies and policy label configurations are shown and associated to an authentication profile in this topic.
The following image shows mapping of policies and policy label. This is the approach used for configuration, but from right to left.
Perform the following by using the CLI
Create an action to perform EPA scan and associate it with an EPA scan policy.
add authentication epaAction EPA-client-scan -csecexpr "sys.client_expr (\"proc_2_firefox\")"
The above expression scans if the process ‘Firefox’ is running. The EPA plug-in checks for the process existence every 2 minutes, signified by the digit ‘2’ in the scan expression.
add authentication Policy EPA-check -rule true -action EPA-client-scan
Configure Policy label post-ldap-epa-scan that hosts the policy for EPA scan.
add authentication policylabel post-ldap-epa-scan -loginSchema LSCHEMA_INT
Note: LSCHEMA_INT is in built schema with no schema, meaning no additional webpage is presented to the user at this step.
Associate policy configured in step 1 with policy label configured in step 2.
bind authentication policylabel post-ldap-epa-scan -policyName EPA-check -priority 100 -gotoPriorityExpression END
In this command, END indicates end of authentication mechanism.
Configure ldap-auth policy to and associate it with an LDAP policy that is configured to authenticate with a particular LDAP server.
add authentication Policy ldap-auth -rule true -action ldap_server1
where ldap_server1 is the LDAP policy and ldap-auth is the policy name.
Associate the ldap-auth policy to authentication, authorization, and auditing virtual server with next step pointing to policy label post-ldap-epa-scan to perform EPA scan.
bind authentication vserver MFA_AAA_vserver -policy ldap-auth -priority 100 -nextFactor post-ldap-epa-scan -gotoPriorityExpression NEXT
Configuration by using the nFactor Visualizer in the GUI
The preceding configuration can also be performed using nFactor Visualizer, which is a feature available on firmware 13.0 and later.
Navigate to Security > AAA-Application Traffic > nFactor Visualizer > nFactor Flow and click Add.
Click + to add the nFactor flow.
Add a factor. The name that you enter is the name of the nFactor flow.
Click Add Schema to add a schema for the first factor and then click Add.
Click Add Policy to add the LDAP policy. If the LDAP policy is already created, you can select the same.
Note: You can create an LDAP policy. Click Add and in the Action field, select LDAP. For more details about adding an LDAP server, see https://support.citrix.com/article/CTX123782)
Click + to add the EPA factor.
Leave the Add Schema section blank, to have the default no schema applied for this factor. Click Add policy to add the post authentication EPA policy and action.
After the nFactor flow is complete, bind this flow to the authentication, authorization, and auditing virtual server.
Note: If periodic EPA is configured as multiple factors, the latest factor with periodic EPA configuration is considered.
In this example, EPA is the first factor where the scan looks for the process ‘Firefox.’ If the EPA scan is successful, it leads to LDAP authentication, followed by the next EPA scan, that looks for the process ‘Chrome.’ When there exist multiple periodic scans configured as different factors, the latest scan takes precedence. In this case, the EPA plug-in scans for the process ‘Chrome’ every 3 minutes after the login is successful.