Configure pre-authentication Endpoint Analysis scan as a factor in nFactor authentication

On Citrix Gateway, Endpoint Analysis (EPA) can be configured to check if a user device meets certain security requirements and accordingly allow access of internal resources to the user. The Endpoint Analysis plug-in downloads and installs on the user device when users log on to Citrix Gateway for the first time. If a user does not install the Endpoint Analysis Plug-in on the user device or chooses to skip the scan, the user cannot log on with the Citrix Gateway plug-in. Optionally, user can be put in a quarantine group where the user gets limited access to internal network resources.

EPA scan in nFactor or multifactor authentication

In this topic, EPA scan is used as an initial check in a nFactor or multifactor authentication.

User connects to Citrix Gateway virtual IP address. An EPA scan is initiated. If EPA scan is successful, user is rendered with login page with user name and password fields for RADIUS or OTP-based authentication. Else, user is rendered with a login page, but this time user is authenticated using LDAP or AD (Active Directory) based authentication. Based on the success or failure of user provided credentials, user is provided access.

Implementing this logic post EPA:

  1. If the EPA scan is successful, user is placed or tagged to a default user group.

  2. If the EPA scan is a failure, then user is placed or tagged to a quarantine group.

  3. The next method of authentication (RADIUS or LDAP) is chosen based on user group membership as determined in the first two steps.


Make sure the following configuration is in place.

  • VPN virtual server or gateway and authentication virtual server configurations
  • Authentication, authorization, and auditing user groups (for default and quarantined user groups) and associated policies
  • LDAP and RADIUS server configurations and associated policies

The following figure displays mapping of policies and policy label. This is the approach used for configuration, but from right to left.

Mapping of policies and policy label in this example

Note: The setup can also be created through the nFactor Visualizer available in Citrix ADC version 13.0 and later.

Representation of this setup in visualizer

Perform the following by using the CLI

  1. Configure an LDAP-auth policy to check for quarantined_group membership and associate it with an LDAP policy that is configured to authenticate with a particular LDAP server.

    add authentication Policy ldap-auth -rule "HTTP.REQ.USER.IS_MEMBER_OF (\"quarantined_group\")" -action ldap_server1
    ldap_server1 is LDAP policy and ldap-auth is policy name
  2. Configure Radius-auth policy to check for default_group membership and associate it with a RADIUS policy that is configured to authenticate with a particular RADIUS server.

    add authentication Policy radius-auth -rule "HTTP.REQ.USER.IS_MEMBER_OF(\"default_group\")" -action radius_server1
    radius_server1 is Radius Policy and radius-auth is policy name
  3. Configure policy label post-epa-usergroup-check with a login schema to capture single factor user name and password.

    add authentication policylabel post-epa-usergroup-check -loginSchema lschema_single_factor_deviceid

    Note: If you do not want to use the in built schema lschema_single_factor_deviceid, you can replace with the schema as per your requirement.

  4. Associate policies configured in step 1 and 2 with policy label configured in step 3.

    bind authentication policylabel post-epa-usergroup-check -policyName radius-auth -priority 100 -gotoPriorityExpression END
    bind authentication policylabel post-epa-usergroup-check -policyName ldap-auth -priority 110 -gotoPriorityExpression END

    Note: END indicates end of authentication mechanism for that leg.

  5. Create an action to perform EPA scan and associate it with an EPA scan policy.

    add authentication epaAction EPA-client-scan -csecexpr "sys.client_expr(\"app_0_MAC- BROWSER_1001_VERSION_<=_10.0.3\")||sys.client_expr(\"os_0_win7_sp_1\")"  -defaultEPAGroup default_group -quarantineGroup quarantined_group

    The default_group and quarantined_group are pre-configured user groups. The expression in step 5 scans if macOS users have browser version less than 10.0.3 or if Windows 7 users have Service pack 1 installed.

    add authentication Policy EPA-check -rule true -action EPA-client-scan
  6. Associate an EPA scan policy to authentication, authorization, and auditing virtual server with the next step pointing to the policy label post-epa-usergroup-check. This is to perform the next step in authentication.

    bind authentication vserver MFA_AAA_vserver -policy EPA-check -priority 100 - nextFactor post-epa-usergroup-check -gotoPriorityExpression NEXT

Configuration by using the nFactor Visualizer

  1. Navigate to Security > AAA-Application Traffic > nFactor Visualizer > nFactor Flow and click Add.

  2. Click + to add the nFactor flow.

    Click to add a factor

  3. Add a factor. The name that you enter is the name of the nFactor flow.

    Add a name for the factor

    Note: No schema is required for the first factor.

    No schema required for first factor

  4. Click Add Policy and then Add to create an authentication policy for EPA check.

    Click to add a policy

  5. In Action field, click Add to add the EPA action.

    Click to Add an action

    For more details on EPA, see Configuring Advanced Endpoint Analysis Scan.

  6. Click the green + sign on the EPA_nFactor block to add the next factor for post EPA user group check.

    Click to add next factor for post EPA user group check

  7. Click Add Schema to add the schema for the second factor. Select the schema lschema_single_factor_deviceid.

    Click to add schema for second factor

    Select schema for second factor

  8. Click Add policy to select the policy for LDAP authentication.

    Click to add a policy for LDAP authentication

    The policy for LDAP checks if the user is part of quarantined group. For more information on creating LDAP authentication, see, Configuring LDAP Authentication.

    Select the policy for LDAP authentication

  9. Click the blue + sign on the EPA_nFactor block to add the second authentication.

    Click to add second authentication

  10. Click Add to select the policy for the RADIUS authentication. For more information on creating RADIUS authentication, see Configuring RADIUS Authentication.

    Click add to select a policy for RADIUS authentication

    The policy for the LDAP checks if the user is part of the default group.

    Select the policy for LDAP

  11. Click Done.

  12. After the nFactor flow is complete, bind this flow to the authentication, authorization, and auditing virtual server. Click Bind to Authentication Server then click Create.

    Click to bind the flow to the authentication virtual server

Unbind the nFactor flow

  1. Select the nFactor flow and click Show Bindings.

  2. Select the authentication virtual server and click Unbind.

    Unbind the nFactor flow