nFactor Visualizer for simplified configuration
Starting from Citrix ADC release 13.0 build 36.27, nFactor configuration through GUI is simplified by using the nFactor Visualizer. The nFactor Visualizer helps admins add multiple factors without losing track of each factor and displays the group of factors that are built in the flow in one place. Admins can add authentication success and failure paths separately. The authentication itself fails in the failure path. After creating the flow, admins have to bind the nFactor Flow to an authentication virtual server.
All factors created by admin in the nFactor flow are retained for any future use.
Previously, nFactor configuration was cumbersome wherein the admins had to visit many pages to configure it. If a change was required, the admins had to revisit the configured sections each time. Also, there was no option to view the complete configuration in one place.
Achieve LDAP authentication as the first-level authentication followed by RADIUS for AD partner group and Certificate for AD employee group. In case LDAP fails, authentication must fall back to AD+Captcha.
To achieve this use case, you can use the nFactor Visualizer. The Visualizer provides various controls that can be used to add this flow and the related items.
The following figure displays the nFactor flow created for the previous mentioned use case by using the Visualizer.
LDAP. You configure LDAP as the first factor. You add a login schema and a policy. In this example SingleAuth and LDAP_Policy are the login schema and policy that are added. For the LDAP_Policy, you can add another factor for success case. In this example, a decision block is added for success case. For failure case, you can add Captcha followed by AD factor.
Group Extraction LDAP. This is the decision block added for the LDAP success case. The decision block is used as a branch out factor to branch out the users based on the policy rules. Visualizer allows configuring only a NO_AUTHN policy for the decision block.
In this example, Group_Extraction_LDAP is the decision block. You add two policies (AD_Group_Partner and AD_Group_Employee) to this decision block. As explained in the use cases, all requests routed through AD_Group_Partner policy use RADIUS authentication. Therefore, you connect the success case of this policy to the next factor, that is RADIUS factor. Similarly, all requests routed through AD_Group_Employee policy use Certification authentication. Therefore, you connect the success case of this policy to the next factor, that is Certification Authentication factor.
- RADIUS Authentication. For the AD_Group_Partner policy success case, you create RADIUS Authentication factor.
- Certificate Authentication. For the AD_Group_Employee policy success case, you create Certificate Authentication factor.
Captcha. For the LDAP policy failure case, you create two next factors, Captcha and AD factor.
- If you have a use case to branch out as a first thing, then you can either create two flows and bind separately or create one flow with first one as branch out, and bind it to the virtual server.
- If you have multiple blocks, and to view the entire flow in the nFactor Flow screen, click on Visualizer and drag the flow to the extreme left.
- Citrix recommends to modify the nFactor Flows using nFactor Flows page only.
To configure nFactor by using the nFactor Visualizer
- Navigate to Security > AAA – Application Traffic > nFactor Visualizer > nFactor Flows.
- Click Add.
On the nFactor Flow page, click + to add a first factor for the flow. The first factor also serves as an identifier for this nFactor flow.
Enter the factor name and click Create.
The factor name appears on the factor block in the nFactor Flow page.
Citrix recommends that you must not use policy label names such as, ‘root’ and ‘
’ as suffix and ‘_db_’ as prefix. It is used as the factor names that are created in nFactor flow.
Click Add Schema. You can create a login schema or select an existing login schema.
Click Add Policy. You can create an authentication policy or select an existing authentication policy. After you add a login schema and policy to the factor, the login schema and policy appear on the factor in the Visualizer as displayed in the following figure. For any given factor, you can add multiple policies and define next factor for success and failure of each policy. You can also remove the policies that are part of the factor.
- After you create the flow, you can then bind the nFactor flow to an authentication virtual server.
Adding the next factor
To add the next factor, you can select one of the following options as per your requirement:
- Create Factor. Create a factor. Each factor that is created in a flow is exclusive to that flow.
- Create decision block. Create a decision block to serve as a branch-out factor. You cannot add a login schema to the decision block. Visualizer allows configuring only a NO_AUTHN policy for the decision block.
- Connect to an existing Factor. Select an existing factor as your next factor. All factors that appear in the existing list are those created exclusively for that flow.
None. Remove an existing connection.
To bind the nFactor flow to authentication server
On the nFactor Flows page, select an nFactor flow that you prefer to bind to an authentication virtual server.
Click hamburger icon to select Bind to Authentication Server option or in the details pane, click Bind to Authentication Server.
On the Bind to Authentication Server page, you can add a new authentication server or edit the existing authentication server.
Click Show Bindings from the hamburger icon to view the bindings.
On the Authentication Server Bindings page, select the policy to unbind and click Unbind. Click Close.
On the Bind to Authentication Server page, select the existing Authentication Server from the dropdown list and click Create.
To create a new authentication virtual server, click Add.
The following is a sample of nFactor flow illustrated through animation.
For more information on nFactor authentication, see the following topics: