Configure user name and two passwords with group extraction in third factor by nFactor authentication

The following section describes the use case of user name and two passwords with group extraction in a third factor by nFactor authentication.

User name and two passwords with group extraction in third factor

Assume a use case where, admins configure first authentication factor to have a user name and two password fields. The second factor is a pass through (there is no login page for this factor), which uses the user name and second password from the first factor. The third authentication factor is pass through and is configured for group extraction using user name from first factor.

  1. Once you access the traffic management virtual server, you are redirected to the login page.

  2. The client submits a user name and two passwords. For example, user1, pass1 and pass2.

  3. First factor is evaluated against a local policy for user1 and pass1. Evaluation is successful and the next factor is passed, policy “label1” in this case.

  4. The policy label specifies that the second factor is pass through with a RADIUS policy. A pass through schema means that Citrix ADC appliance does not go back to the client for any further input. Citrix ADC appliance simply uses the information it already has. In this case, it is user1 and pass2. The second factor is then evaluated implicitly. After successful evaluation, the next factor is passed (policy “label2” in this case.)

  5. The policy label specifies that the third factor is pass through with an LDAP policy configured for group extraction. Citrix ADC appliance implicitly uses the user name from the first factor.

  6. The authentication server returns cookies and a response that redirect the client’s browser back to the traffic management virtual server, where the requested content is. If a login fails, the client’s browser is presented with the original logon page so that the client can retry.

    Logon form

Perform the following by using the CLI

  1. Configure traffic management and authentication virtual server.

    • add lb vserver lbvs1 HTTP 10.217.28.152 80 -AuthenticationHost auth1.nsi-test.com -Authentication ON
    • add authentication vserver avn SSL 10.217.28.154 443 -AuthenticationDomain dep.sqltest.net
  2. Configure a first factor.

    • add authentication loginSchema login1 -authenticationSchema login-2passwd.xml
    • add authentication loginSchemaPolicy login1 -rule true -action login1
  3. Configure a second factor.

    • add authentication loginSchema login2 -authenticationSchema noschema
    • add authentication policylabel label1 -loginSchema login2
  4. Configure a third factor.

    • add authentication loginSchema login_pass -authenticationSchema noschema
    • add authentication policylabel label2 -loginSchema login_pass
  5. Configure LOCAL, RADIUS, and LDAP factor.

    • add authentication Policy localpolicy -rule true -action LOCAL
    • add authentication ldapAction ldapact -serverIP 10.217.201.84 -ldapBase "cn=users,dc=dep,dc=sqltest,dc=net" -ldapBindDn Administrator@dep.sqltest.net -ldapBindDnPassword 8f7e6642195bc181f734cbc1bd18dfaf03bf9835abda7c045f7a964ceb58d4c9 -encrypted -encryptmethod ENCMTHD_3 -ldapLoginName sAMAccountName -groupAttrName memberOf -subAttributeName CN -ssoNameAttribute userprincipalname
    • add authentication Policy ldappolicy -rule true -action ldapact
    • add authentication radiusAction radius -serverIP 10.217.22.20 -radKey a740d6a0aeb3288fa0a6fbe932d329acddd8f448ecb4a3038daa87b36599fd16 -encrypted -encryptmethod ENCMTHD_3 -radNASip ENABLED -radNASid NS28.50 -radAttributeType 11 -ipAttributeType 8
    • add authentication Policy radiuspolicy -rule true -action radius
  6. Bind the policies.

    • bind authentication vserver avn -policy login1 -priority 10 -gotoPriorityExpression END
    • bind authentication vserver avn -policy localpolicy -priority 2 -nextFactor label1 -gotoPriorityExpression NEXT
    • bind authentication policylabel label1 -policyName radiuspolicy -priority 1 -gotoPriorityExpression NEXT -nextFactor label2
    • bind authentication policylabel label2 -policyName ldappolicy -priority 10 -gotoPriorityExpression NEXT

Note

The setup can also be created through the nFactor Visualizer available in Citrix ADC version 13.0 and later.

nFactor visualizer RADIUS and group extraction

Configuring by using the nFactor Visualizer

  1. Navigate to Security > AAA-Application Traffic > nFactor Visualizer > nFactor Flows and click Add.

  2. Click + to add the nFactor flow.

    Add a flow

  3. Add a factor. The name that you enter is the name of the nFactor flow. Click Create.

    Add a name for the flow

  4. Click Add Schema to add the login schema for the first factor. You can create an authentication login schema or select an existing authentication login schema from the list. Click OK.

    Add a schema

  5. Click Add Policy to add the first factor authentication policy. You can create an authentication policy or select an existing authentication policy from the list.

    Add local policy

  6. Create Local policy, as per the following.

    Create local policy

  7. Click green + to add the second factor.

    Add next factor

  8. Click Add Schema to add the login schema for the second factor. You can create an authentication login schema or select an existing authentication login schema from the list. Click OK.

    Add second factor

  9. Click Add Policy to create a policy. Click Create and click Add.

    Add policy

    Note

    In case the RADIUS actions is not created, see To configure RADIUS authentication

  10. Click green + to add the third factor, and click Create.

    Add third factor

  11. Click Add Schema to add the login schema for the second factor. You can create an authentication login schema or select an existing authentication login schema from the list. Click OK.

  12. Click Add Policy to create a policy. Click Create and click Add.

  13. In case the LDAP action is added, select the same. If not, follow the KB article to create one, also since you are doing only extraction, make sure to have the authentication disabled on the LDAP action. For more information, see How to Use LDAP for Group Extraction Through NetScaler Without Authentication

    Add ldap auth

  14. On the Configure Authentication Policy add LDAP policy and click OK.

    Add ldap auth policy

  15. Click Done. Select nFactor flow and click Bind to Authentication Server option and select the authentication, authorization, and auditing virtual server from the list.

    LDAP factor