Configure two-factor authentication with one login schema and one passthrough schema in Citrix ADC nFactor authentication

The following section describes the use case of two-factor authentication with one login schema and one passthrough schema.

Two-factor authentication with one login schema and one passthrough schema

Assume a use case where, admins configures two-factor authentication with one login schema and one passthrough schema. Client submits one user name and two passwords. The first set of user name and password is evaluated through an LDAP policy as first-factor, and the second password is evaluated through a RADIUS policy as second-factor.

  1. Once you access the traffic management virtual server, you are redirected to the login page for authentication.

  2. The client submits a user name and two passwords, for example- user1, pass1 and pass2.

  3. First-factor is evaluated against an LDAP action for user1 and pass1. Evaluation is successful and passed to the next factor, policy “label1”; in this case.

  4. The policy label specifies that the second-factor is passthrough with a RADIUS policy. A passthrough schema means that Citrix ADC appliance does not go back to the client for any further input. Citrix ADC simply uses the information it already has. In this case, it is user1 and pass2. The second-factor is then evaluated implicitly.

  5. The authentication server return cookies and a response that redirect the client’s browser back to the traffic management virtual server, where the requested content is available. If login fails, the client browser is presented with the original logon page so that the client can retry.

    Logon page

Perform the following by using the CLI

  1. Configure traffic management and authentication virtual server.

    • add lb vserver lbvs55 HTTP 80 -AuthenticationHost -Authentication ON
    • add authentication vserver auth56 SSL 443 -AuthenticationDomain
  2. Configure a second-factor.

    • add authentication loginSchema login1 -authenticationSchema login-2passwd.xml -userCredentialIndex 1 -passwordCredentialIndex 2
    • add authentication loginSchemaPolicy login1 -rule true -action login1
    • add authentication loginSchema login2 -authenticationSchema noschema
    • add authentication loginSchemaPolicy login2 -rule true -action login2
    • add authentication policylabel label1 -loginSchema login2
  3. Configure LDAP and RADIUS factor.

    • add authentication ldapAction ldapAct1 -serverIP -ldapBase "dc=aaatm, dc=com" -ldapBindDn -ldapBindDnPassword 71ca2b11ad800ce2787fb7deb54842875b8f3c360d7d46e3d49ae65c41550519 -encrypted -encryptmethod ENCMTHD_3 -ldapLoginName samAccountName -groupAttrName memberOf -subAttributeName CN
    • add authentication Policy ldap -rule true -action ldapAct1
    • add authentication radiusAction radius -serverIP -radKey a740d6a0aeb3288fa0a6fbe932d329acddd8f448ecb4a3038daa87b36599fd16 -encrypted -encryptmethod ENCMTHD_3 -radNASip ENABLED -radNASid NS28.50 -radAttributeType 11 -ipAttributeType 8
    • add authentication Policy radius -rule true -action radius
  4. Bind the policies.

    • bind authentication vserver auth56 -policy login1 -priority 1 -gotoPriorityExpression END
    • bind authentication vserver auth56 -policy ldap -priority 1 -nextFactor label1 -gotoPriorityExpression next
    • bind authentication policylabel label1 -policyName radius -priority 2 -gotoPriorityExpression end


The setup can also be created through the nFactor Visualizer available in Citrix ADC version 13.0 and later.

nFactor visualizer two factors

Configuring by using the nFactor Visualizer

  1. Navigate to Security > AAA-Application Traffic > nFactor Visualizer > nFactor Flows and click Add.

  2. Click + to add the nFactor flow.

    Add a flow

  3. Add a factor. The name that you enter is the name of the nFactor flow. Click Create.

    Add a name for the flow

  4. To add the two password schema for the first-factor, click Add Schema.

    Add a schema

  5. Click Add Policy to add the LDAP policy. You can create an authentication policy or select an existing authentication policy from the list.

    Add LDAP policy

  6. In the Action tab, select LDAP server.

    Add LDAP policy


    If LDAP server is not added, for more information on adding an LDAP server, see LDAP authentication policies

  7. Click green + to add the RADIUS factor and click Create.

    Add next factor

  8. Do not add a schema for this factor, as by default it takes no schema. To add RADIUS authentication policy, click Add Policy.

    Radius auth policy


    If RADIUS server if not added, for more information on adding an RADIUS server, see To configure RADIUS authentication

  9. Click Done to save the configuration.

  10. To bind the created nFactor flow to an authentication, authorization, and auditing virtual server, click Bind to Authentication Server and click Create.

    Bind auth server