Configuring nFactor authentication

You can configure multiple authentication factors using nFactor configuration rather than just two factors. nFactor configuration is supported only in Citrix ADC Advanced and Premium editions.

Methods to configure nFactor

You can configure nFactor authentication by one of the following methods:

Important: This topic contains details about configuring nFactor by using the Citrix ADC GUI.

Configuration elements involved in nFactor configuration

The following elements are involved in configuring nFactor. For detailed steps, refer to the appropriate sections in this topic.

Configuration element Tasks to be performed
AAA virtual server Create a AAA virtual server
  Bind portal theme to AAA virtual server
  Enable client certificate authentication
Login schema Configure a login schema profile
  Create and bind a login schema policy
Advanced authentication policies Create advanced authentication policies
  Bind first factor advanced authentication policy to Citrix ADC AAA virtual server
  Use extracted LDAP groups to select the next authentication Factor
Authentication policy label Create authentication policy label
  Bind authentication policy label
nFactor for Citrix Gateway Create authentication profile to link a Citrix ADC AAA virtual server with Citrix Gateway virtual server
  Configure SSL parameters and CA certificate for Citrix Gateway
  Configure Citrix Gateway traffic policy for nFactor single sign-on to StoreFront

How nFactor works

When a user connects to Citrix ADC AAA or Citrix Gateway virtual server, the sequence of events that occur are as follows:

  1. If forms-based authentication is used, the login schema bound to the Citrix ADC AAA virtual server is displayed.

  2. Advanced authentication policies bound to the Citrix ADC AAA virtual server are evaluated.
    • If the advanced authentication policy succeeds, and if next factor (authentication policy label) is configured, next factor is evaluated. If Next Factor is not configured, then authentication is complete and successful.
    • If the advanced authentication policy fails, and if Goto Expression is set to Next, then next bound advanced authentication policy is evaluated. If none of the advanced authentication policies succeed, then authentication fails.
  3. If the next factor authentication policy label has a Login Schema bound to it, it is displayed to the user.
  4. The advanced authentication policies bound to the next factor authentication policy label is evaluated.
    • If the Advanced authentication policy succeeds, and if next factor (authentication policy label) is configured, next factor is evaluated.
    • If Next Factor is not configured, then authentication is complete and successful.
  5. If the Advanced authentication policy fails, and if Goto Expression is Next, then the next bound advanced authentication policy is evaluated.

  6. If none of the advanced authentication policies succeeds, then authentication fails.

AAA virtual server

To use nFactor with Citrix Gateway, you first configure it on a AAA Virtual Server. Then you later link the AAA virtual server to the Citrix Gateway virtual server.

Create AAA Virtual Server

  1. If AAA feature is not already enabled, navigate to, Security > AAA – Application Traffic, and right click to enable feature.

    localized image

  2. Navigate to Configuration > Security > AAA - Application Traffic > Virtual Servers.

    localized image

  3. Click Add to create an authentication virtual server.

    localized image

  4. Enter the following information and click OK.

    Parameter name Parameter Description
    Name Name for the AAA virtual server.
    IP address Type Change the IP address Type to Non Addressable if this virtual server is used only for Citrix Gateway.

    localized image

  5. Under Certificate, select No Server Certificate.

    localized image

  6. Click the text, Click to select to select the server certificate.

    localized image

  7. Click the radio button next to a certificate for the AAA Virtual Server, and click Select.The chosen certificate doesn’t matter because this server is not directly accessible.

    localized image

  8. Click Bind.

    localized image

  9. Click Continue to close the Certificate section.

    localized image

  10. Click Continue.

    localized image

Bind portal theme to AAA virtual server

  1. Navigate to Citrix Gateway > Portal Themes, and add a theme. You create the theme under Citrix Gateway, and then later bind it to the AAA virtual server.

    localized image

  2. Create a theme based on the RfWebUI template theme.

    localized image

  3. After adjusting the theme as desired, at the top of the portal theme editing page, click Click to Bind and View Configured Theme.

    localized image

  4. Change the selection to Authentication. From the Authentication Virtual Server Name drop-down menu, select the AAA Virtual Server, and click Bind and Preview and close the preview window.

    localized image

Enable client certificate authentication

If one of your authentication Factors is client certificate, then you must perform some SSL configuration on the AAA Virtual Server:

  1. Navigate to Traffic Management > SSL > Certificates > CA Certificates, and install the root certificate for the issuer of the client certificates. Root certificates do not have a key file.

    localized image

    localized image

  2. Navigate to Traffic Management > SSL > Change advanced SSL settings.

    localized image

    a. Scroll down to check whether Default Profile is ENABLED. If yes, then you must use an SSL Profile to enable Client Certificate Authentication. Otherwise, you can enable Client Certificate Authentication directly on the AAA Virtual Server in the SSL Parameters section.

  3. If default SSL Profiles are not enabled:

    a. Navigate to Security > AAA - Application > Virtual Servers, and edit an existing AAA virtual server.

    localized image

    b. On the left, in the SSL Parameters section, click the pencil icon.

    localized image

    c. Check the box next to Client Authentication.

    d. Make sure Optional is selected in the Client Certificate drop-down menu, and click OK.

    localized image

  4. If Default SSL Profiles are enabled, then create a new SSL Profile with Client Authentication enabled:

    a. On the left menu, expand System, and click Profiles.

    b. On the top right, switch to the SSL Profile tab.

    c. Right-click the ns_default_ssl_profile_frontend profile, and click Add. This copies settings from the default profile.

    d. Give the Profile a name. The purpose of this profile is to enable Client Certificates.

    e. Scroll down and find the Client Authentication checkbox. Check the box.

    f. Change the Client Certificate drop-down to OPTIONAL.

    g. Copying the default SSL Profile does not copy the SSL Ciphers so you’ll have to redo them.

    h. Click Done when done creating the SSL Profile.

    i. Navigate to Security > AAA – Application Traffic > Virtual Servers, and edit a AAA vServer.

    j. Scroll down to the SSL Profile section and click the pencil.

    k. Change the SSL Profile drop-down to the profile that has Client Certificates enabled. Click OK.

    l. Scroll down this article until you reach the instructions to bind the CA certificate.

  5. On the left, in the Certificates section, click where it says No CA Certificate.

    localized image

  6. Click the text, Click to select.

    localized image

  7. Click the radio button next to the root certificate for the issuer of the client certificates, and click Select.

    localized image

  8. Click Bind.

    localized image

Login schema XML file

Login Schema is an XML file providing the structure of forms-based authentication logon pages.

nFactor implies multiple authentication Factors that are chained together. Each Factor can have different Login Schema pages/files. In some authentication scenarios, users could be presented with multiple logon screens.

Configure a login schema profile

To configure a Login Schema Profile:

  1. Create or Edit a Login Schema .XML file based on your nFactor design.
  2. Navigate to Security > AAA - Application Traffic > Login Schema.

    localized image

  3. On the right, switch to the Profiles tab, and click Add.

    localized image

  4. In the Authentication Schema field, click the pencil icon.

    localized image

  5. Click the LoginSchema folder to see the files in it.

    localized image

  6. Select one of the files. You can see a preview on the right. The labels can be changed by clicking the Edit button on the top right.

    localized image

  7. When you Save the changes, a new file is created under /nsconfig/LoginSchema.

    localized image

  8. On the top right, click Select.

    localized image

  9. Give the Login Schema a name, and click More.

    localized image

  10. You typically need to use the entered credentials elsewhere. For example, you might need to use the username and one of the passwords to later Single Sign-on to StoreFront. Click More at the bottom of the Create Authentication Login Schema page and enter unique values for the indexes. These values can be between 1 and 16.

    localized image

    a. Later you reference these index values in a Traffic Policy/Profile by using the expression HTTP.REQ.USER.ATTRIBUTE(#).

  11. Click OK to create the Login Schema profile.

    Note: if you later edit the Login Schema .xml file, the changes might not be reflected until you edit the Login Schema Profile, and Select the .xml file again.

Create and bind a login schema policy

To bind a Login Schema Profile to a AAA vServer, you must first create a Login Schema Policy. Login Schema Policies are not required when binding the Login Schema Profile to an Authentication Policy Label, as detailed later.

To create and bind a Login Schema Policy:

  1. Navigate to Security > AAA - Application Traffic > Login Schema.

    localized image

  2. On the Policies tab, click Add.

    localized image

  3. Use the Profile drop-down menu to select the Login Schema Profile you already created.

  4. Enter a Default Syntax expression (e.g. true) in the Rule box, and click Create.

    localized image

  5. On the left, navigate to Security > AAA - Application Traffic > Virtual Servers, and edit an existing AAA Virtual Server.

    localized image

  6. In the Advanced Settings column, click Login Schemas.

    localized image

  7. In the Login Schemas section, click the text No Login Schema.

    localized image

  8. Click the text, Click to select.

    localized image

  9. Click the radio button next to the Login Schema policy, and click Select. Only Login Schema Policies appear in this list. Login Schema Profiles (without a policy) do not appear.

    localized image

  10. Click Bind.

Advanced authentication polices

Authentication policies are a combination of policy expression, and policy action. If the expression is true, then evaluate the authentication action.

Create advanced authentication policies

Authentication policies are a combination of policy expression and policy action. If the expression is true, then evaluate the authentication action.

You will need Authentication Actions/Servers (e.g. LDAP, RADIUS, CERT, SAML, etc.) When creating an Advanced Authentication Policy, there’s a plus (Add) icon that lets you create Authentication Actions/Servers.

Or you can create Authentication Actions (Servers) prior to creating the Advanced Authentication Policy. The Authentication Servers are located under Authentication > Dashboard. On the right, click Add and select a Server Type. The instructions for creating these Authentication Servers is not detailed here. See the Authentication – NetScaler 12 / Citrix ADC 12.1 procedures.

To create an Advanced Authentication Policy:

  1. Navigate to Security > AAA - Application Traffic > Policies > Authentication > Advanced Policies > Policy

    localized image

  2. In the details pane do one of the following:
    • To create a policy, click Add.
    • To modify an existing policy, select the policy, and then click Edit.
  3. In the Create Authentication Policy or Configure Authentication Policy dialog box, type or select values for the parameters.

    localized image

    • Name - The policy name. Cannot be changed for a previously configured policy.
    • Action Type - The policy type: Cert, Negotiate, LDAP, RADIUS, SAML, SAMLIDP, TACACS, or WEBAUTH.
    • Action - The authentication action (profile) to associate with the policy. You can choose an existing authentication action, or click the plus and create an action of the proper type.
    • Log Action - The audit action to associate with the policy. You can choose an existing audit action, or click the plus and create an action. You don’t have any Actions configured, or to create an action, click Add and complete the steps.
    • Expression - The rule that selects connections to which you want to apply the action that you specified. The rule can be simple (“true” selects all traffic) or complex. You enter expressions by first choosing the type of expression in the leftmost drop-down list beneath the Expression window, and then by typing your expression directly into the expression text area, or by clicking Add to open Add Expression dialog box and using the drop-down lists in it to construct your expression.)
    • Comment - You can type a comment that describes the type of traffic that this authentication policy applies to. Optional.
  4. Click Create and then click Close. If you created a policy, that policy appears in the Authentication Policies and Servers page.

You must create additional advanced authentication policies as required based on your nFactor design.

Bind first factor advanced authentication policy to Citrix ADC AAA

You can directly bind advanced authentication policies for the first Factor the Citrix ADC AAA virtual server. For the next factors, you must bind the advanced authentication policies to the authentication policy labels.

  1. Navigate to Security > AAA - Application Traffic > Virtual Servers. Edit an existing virtual server.

localized image

  1. On the left, in the Advanced Authentication Policies section, click No Authentication Policy.

    localized image

  2. In Select Policy, click the text, Click to select.

    localized image

  3. Click the radio button next to the Advanced Authentication Policy, and click Select.

    localized image

  4. In the Binding Details section, the Goto Expression determines what happens next if this advanced authentication policy fails.
    • If Goto Expression is set to NEXT, then the next advanced authentication policy bound to this Citrix ADC AAA Virtual Server is evaluated.
    • If Goto Expression is set to END, or if there are no more advanced authentication policies bound to this Citrix ADC AAA Virtual Server, then authentication is completed and marked as failed.

    localized image

  5. In Select Next Factor, you can select can point to an authentication policy label. The next factor is evaluated only if the advanced authentication policy succeeds. Finally, click Bind.

    localized image

Use extracted LDAP groups to select the next authentication Factor

You can use extracted LDAP groups to select the next authentication factor without actually authentication with LDAP.

  1. When creating or editing an LDAP server or LDAP action, clear the Authentication check box.
  2. In Other Settings, select appropriate values in Group Attribute and Sub Attribute Name.

Authenticate the policy label

When you bind an advanced authentication policy to the Citrix ADC AAA Virtual Server and have selected a next factor, the next factor is evaluated only if the advanced authentication policy. The next factor that is evaluated is an authentication policy label.

The authentication policy label specifies a collection of authentication policies for a particular factor. Each policy label corresponds to a single factor. It also specifies the login form that must be presented to the user. The authentication policy label must be bound as the next factor of an authentication policy or of another authentication policy label.

Note: Every factor does not need a login schema. Login schema profile is required only if you are binding a login schema to an Authentication Policy Label.

Create authentication policy label

A policy label specifies the authentication policies for a particular factor. Each policy label corresponds to a single factor. The policy label specifies the login form that must be presented to the user. The policy label must be bound as the next factor of an authentication policy or of another authentication policy label. Typically, a policy label includes authentication policies for a specific authentication mechanism. However, you can also have a policy label that has authentication policies for different authentication mechanisms.

  1. Navigate to Security > AAA – Application Traffic > Policies > Authentication > Advanced Policies > Policy Label.

    localized image

  2. Click the Add button.

    localized image

  3. Complete the following fields to Create Authentication Policy Label:

    a) Enter the Name for the new authentication policy label.

    b) Select the Login Schema associated with authentication policy label. IF you do not want to display anything to the user, you can select a login schema profile that is set to noschema (LSCHEMA_INT).

    c) Click Continue.

    localized image

  4. In Policy Binding section, click where it says Click to select.

  5. Select the authentication policy that evaluates this factor.

    localized image

  6. Complete the following fields:

    a) Enter the Priority of the policy binding.

    b) In Goto Expression select NEXT if you want to bind more advanced authentication policies to this factor or select END.

    localized image

  7. In Select Next Factor, if you want to add another factor, click to select and bind the next authentication policy label (next factor). If you do not select the next factor, and if this advanced authentication policy succeeds, then authentication is successful and complete.
  8. Click Bind.

  9. You can click Add Binding to add more advanced authentication policies to this policy label (factor). Click Done upon completion.

    localized image

Bind authentication policy label

After you create the policy label, you bind it to an existing advanced authentication policy binding to chain factors together.

You can select the next factor when editing an existing Citrix ADC AAA virtual server that has an advanced authentication policy bound or when editing a different policy label to include next factor.

To edit an existing Citrix ADC AAA virtual server that has an advanced authentication policy already bound to it

  1. Navigate to Security > AAA – Application Traffic > Virtual Servers. Select the virtual server and click Edit.

    localized image

  2. On the left, in the Advanced Authentication Policies section, click an existing authentication policy binding.

    localized image

  3. In Select Action, click Edit Binding.

    localized image

  4. In Select Next Factor, click, and select an existing authentication policy label (next factor).

    localized image

  5. Click Bind. You can see the next factor on the extreme right.

    localized image

To add a policy label next factor to a different policy label

  1. Navigate to Security > AAA – Application Traffic > Policies > Authentication > Advanced Policies > PolicyLabel. Select a different policy label and click Edit.

    localized image

  2. In Select Action, click Edit Binding.

    localized image

  3. In Binding Details > Select Next Factor, click to select the next factor.
  4. Choose the policy label for the next factor and click the Select button.

    localized image

  5. Click Bind. You can see the next factor on the right.

    localized image

nFactor for Citrix Gateway

To enable nFactor on Citrix Gateway, an authentication profile must be linked to a Citrix ADC AAA virtual server.

  1. Navigate to Citrix Gateway > Virtual Servers and select and existing gateway virtual server to edit.

    localized image

  2. In Advanced Settings, click Authentication Profile.

  3. Click Add under Authentication Profile

    localized image

  4. Enter the name for the authentication profile and click where it says Click to select.

    localized image

  5. In Authentication Virtual Server, select an existing server that has login schema, advanced authentication policy, and authentication policy labels configured. You can also create an authentication virtual server. The Citrix ADC AAA virtual server does not need an IP address. Click Select.

    localized image

  6. Click Create.

    localized image

  7. Click OK to close the Authentication Profile section.

    localized image

Note: If you have configured one of the factors as client certificates, then must configure SSL parameters and CA certificate.

After you have completed linking the authentication profile to a AAA virtual server, and when you browse to your Citrix Gateway, you can view the nFactor authentication screens.

Configure SSL parameters and CA certificate

If one of the authentication factors is a certificate, then you must perform some SSL configuration on the Citrix Gateway virtual server.

  1. Navigate to Traffic Management > SSL > Certificates > CA Certificates, and install the root certificate for the issuer of the client certificates. Certificate Authority certificates do not need key files.

    If default SSL Profiles are enabled, then you should have already created an SSL Profile that has Client Authentication enabled.

  2. Navigate to Citrix Gateway > Virtual Servers, and edit an existing Citrix Gateway virtual server that is enabled for nFactor.

    • If default SSL Profiles are enabled, click the edit icon.
    • In the SSL Profile list, select the SSL Profile that has Client Authentication enabled and set to OPTIONAL.

    • If default SSL Profiles are not enabled, click the edit icon.
    • Check the Client Authentication check box.
    • Ensure Client Certificate is set to Optional
  3. Click OK.

  4. In Certificates section, click No CA Certificate.

  5. In Select CA Certificate, click to select and select the root certificate for the issuer of the client certificates.

  6. Click Bind.

Note: You might have to also bind any Intermediate CA Certificates that issued the client certificates.

Configure Citrix Gateway traffic policy for nFactor single sign-on to StoreFront

For single sign-on to StoreFront, nFactor defaults to using the last entered password. If LDAP is not the last entered password, then you must create a traffic policy/profile to override the default nFactor behavior.

  1. Navigate to Citrix Gateway > Policies > Traffic.

    localized image

  2. In Traffic Profiles tab, click Add.

    localized image

  3. Enter a name for the traffic profile. Select the HTTP protocol. In Single Sign-on, select ON.

    localized image

  4. In the SSO Expression, enter an HTTP.REQ.USER.ATTRIBUTE(#) expression that matches the indexes specified in the login schema and click Create.

    localized image

  5. Click Traffic Policies tab, and click Add.

    Enter a name for the policy. Select the traffic profile created in the previous step. In Expression, enter an advanced expression, for example true. Click Create.

    localized image

  6. Navigate to Citrix Gateway > Citrix Gateway Virtual Server.

    • Select and existing virtual server and click Edit.
    • In the Policies section, click the + sign.
    • In Choose Policy, select Traffic.
    • In Choose Type, select Request.
    • Select the traffic policy that you have created and then click Bind.

    localized image

Sample snippet on nFactor configuration by using the Citrix ADC CLI

To understand the step-wise configurations for nFactor authentication, let us consider a two-factor authentication deployment where the first factor is LDAP authentication and the second factor is RADIUS authentication.

This sample deployment requires the user to log in to both factors using a single login form. Therefore, we define a single login form that accepts two passwords. The first password is used for LDAP authentication and the other for RADIUS authentication. Here are the configurations that are performed:

  1. Configure the load balancing virtual server for authentication

    add lb vserver lbvs89 HTTP 1.136.19.55 80 -AuthenticationHost auth56.aaatm.com -Authentication ON`

  2. Configure the authentication virtual server.

    add authentication vserver auth56 SSL 10.106.30.223 443 -AuthenticationDomain aaatm.com

  3. Configure the login schema for the login form and bind it to a login schema policy.

    add authentication loginSchema login1 -authenticationSchema login-2passwd.xml -userCredentialIndex 1 -passwordCredentialIndex 2

    add authentication loginSchemaPolicy login1 -rule true -action login1

  4. Configure a login schema for the pass-through and bind it to a policy label

    add authentication loginSchema login2 -authenticationSchema noschema

    add authentication policylabel label1 -loginSchema login2

  5. Configure the LDAP and RADIUS policies.

    add authentication ldapAction ldapAct1 -serverIP 10.17.103.28 -ldapBase “dc=aaatm, dc=com” -ldapBindDn administrator@aaatm.com -ldapBindDnPassword 81qw1b99ui971mn1289op1abc12542389b1f6c111n0d98e1d78ae90c8545901 -encrypted -encryptmethod ENCMTHD_3 -ldapLoginName samAccountName -groupAttrName memberOf -subAttributeName CN

    add authentication Policy ldap -rule true -action ldapAct1

    add authentication radiusAction radius -serverIP 10.101.14.3 -radKey n231d9a8cao8671or4a9ace940d8623babca0f092gfv4n5598ngc40b18876hj32 -encrypted -encryptmethod ENCMTHD_3 -radNASip ENABLED -radNASid NS28.50 -radAttributeType 11 -ipAttributeType 8

    add authentication Policy radius -rule true -action radius

  6. Bind the login schema policy to the authentication virtual server

    bind authentication vserver auth56 -policy login1 -priority 1 -gotoPriorityExpression END

  7. Bind the LDAP policy (first factor) to the authentication virtual server.

    bind authentication vserver auth56 -policy ldap -priority 1 -nextFactor label1 -gotoPriorityExpression next

  8. Bind the RADIUS policy (second factor) to the authentication policy label.

    bind authentication policylabel label1 -policyName radius -priority 2 -gotoPriorityExpression end