Configure pre-auth and post-auth EPA scan as a factor in nFactor authentication
On Citrix Gateway, Endpoint Analysis (EPA) can be configured to check if a user device meets certain security requirements and accordingly allow access of internal resources to the user. The Endpoint Analysis plug-in downloads and installs on the user device when users log on to Citrix Gateway for the first time. If a user does not install the Endpoint Analysis plug-in on the user device, user cannot log on with the Citrix Gateway plug-in.
For understanding EPA in nFactor concepts, see, Concepts, and Entities Used for EPA in nFactor Authentication Through NetScaler.
In this topic, EPA scan is used as an initial check in a nFactor or multifactor authentication, followed by login and EPA scan as the final check.
User connects to Citrix Gateway virtual IP address. An EPA scan is initiated. If EPA scan is successful, user is rendered the login page with user name and password fields for LDAP or AD (Active Directory) based authentication. Based on the success of the user credentials, user is redirected to the next EPA factor.
High level steps involved in this configuration
1. If the scan is successful, the user is placed or tagged to a default user group.
2. The next method of authentication (LDAP) is chosen.
3. Based on the result of authentication, the user is presented with the next set of scan.
It is assumed that following configuration are in place.
- VPN virtual server/gateway and authentication virtual server configurations
- Authentication, authorization, and auditing user groups (for default & quarantined user groups) and associated policies
- LDAP server configurations and associated policies
Configuration by using the CLI
1. Create an action to perform an EPA scan and associate it with an EPA scan policy.
add authentication epaAction SecondEPA_client_scan -csecexpr "sys.client_expr(\"proc_0_firefox\")"
The preceding expression scans if the Firefox process is running on the client machine.
add authentication Policy SecondEPA_check -rule true -action SecondEPA_client_scan
2. Configure policy label post-epa-scan that hosts the policy for EPA scan.
add authentication policylabel post-epa-scan -loginSchema LSCHEMA_INT
Note: LSCHEMA_INT is an in-built schema with no schema (noschema), meaning no additional webpage is presented to user at this step.
3. Associate policy configured in step 1 with policy label configured in step 2.
bind authentication policylabel post-epa-scan -policyName SecondEPA_check - priority 100 -gotoPriorityExpression END
END indicates end of authentication mechanism.
4. Configure ldap-auth policy and associate it with an LDAP policy which is configured to authenticate with a particular LDAP server.
add authentication Policy ldap-auth -rule true -action ldap_server1 ldap_server1 is LDAP policy and ldap-auth is policy name
5. Configure policy label ldap-factor, with login schema to capture single factor user name and password.
add authentication policylabel ldap-factor -loginSchema LoginSchema/SingleAuth.xml
Note: Replace with the schema you need, in case you do not want to use in built schema LoginSchema/SingleAuth.xml
6. Associate the policy configured in step 4 with policy label configured in step 5.
bind authentication policylabel ldap-factor -policyName ldap-auth -priority 100 -gotoPriorityExpression END -nextFactor post-epa-scan
END indicates end of authentication mechanism for that leg and nextFactor indicates the next factor following authentication.
7. Create an action to perform EPA scan and associate it with an EPA scan policy.
add authentication epaAction FirstEPA_client_scan –csecexpr “sys.client_expr(\"os_0_win7_sp_1\")" -defaultEPAGroup default_group
Here default_group is a pre-configured user group.
The above expression scans if Windows 7 users have Service pack 1 installed.
add authentication Policy FirstEPA-check -rule true -action FirstEPA_client_scan
8. Associate an EPA scan policy to authentication, authorization, and auditing virtual server with next step pointing to policy label ldap-factor to perform next step in authentication.
bind authentication vserver MFA_AAA_vserver -policy FirstEPA-check -priority 100 -nextFactor ldap-factor -gotoPriorityExpression NEXT
Configuration by using the GUI
1. Navigate to Security > AAA-Application Traffic > Policies > Authentication > Advanced Policies > Actions > EPA.
First EPA Scan to check for Automatic Windows Update and a default group
Second EPA Scan to check for the Firefox Browser
2. Create an EPA Policy. Navigate to Security > AAA-Application Traffic > Policies > Authentication > Advanced Policies > Policy and bind the action created in step 1.
Policy for first EPA scan
Policy for second EPA Scan
For more information on Advanced EPA see, Advanced Endpoint Analysis Scans
3. Create an nFactor flow. Navigate to Security > AAA-Application Traffic > nFactor Visualizer > nFactor Flow and click Add.
Note: nFactor Visualizer is available on firmware 13.0 and later.
4. Add a factor. The name that you enter is the name of the nFactor flow.
No schema is required for the EPA scan.
5.Click Add Policy to add a policy for first factor.
6. Select the First EPA policy created in step 2.
7. Click the green + sign and add the next factor, that is LDAP authentication.
8. Click Add Schema and then click Add to add a schema for the second factor.
9. Create a schema, in this example Single_Auth and choose this schema.
11. Click Add Policy to add an LDAP policy for authentication.
For more information on creating LDAP authentication see, Configuring LDAP Authentication
12. Create Next factor for post authentication EPA scan.
13. Click Add Policy, select SecondEPA_Check policy created in step 2, and click Add.
14. Click Done.
15. Click Bind to Authentication Server, select the nFactor flow, and then click Create.
Unbind the nFactor flow
1. Select the nFactor flow and click Show Bindings.
2. Select the authentication virtual server and click Unbind.