ADC

Two factor authentication for system users and external users

Two factor authentication is a security mechanism where a Citrix ADC appliance authenticates a system user at two authenticator levels. The appliance grants access to the user only after successful validation of passwords by both levels of authentication. If a user is authenticated locally, the user profile must be created in the Citrix ADC database. If the user is authenticated externally then, the user name and password must match the user identity registered in the external authentication server.

Note

Two factor authentication feature works only from Citrix ADC 12.1 build 51.16 onwards.

How two factor authentication works

Consider a user trying to log on to a Citrix ADC appliance. The requested application server sends the user name and password to the first external authentication server (RADIUS, TACACS, LDAP, or AD). Once the user name and password are validated, the user is prompted for a second level of authentication. The user can now provide the second password. Only if both passwords are correct, the user is allowed to access the Citrix ADC appliance. The following diagram is an illustration of how two-factor authentication works for a Citrix ADC appliance.

Two-factor authentication

Following are the different use cases for configuring two factor authentication for external and system users.

You can configure two-factor authentication on a Citrix ADC appliance in different ways. The following are the different configuration scenarios for two factor authentication on a Citrix ADC appliance.

  1. Two factor authentication (2FA) across Citrix ADC, GUI, CLI, API and SSH.
  2. External authentication enabled and local authentication disabled for system users.
  3. External authentication enabled with policy based local authentication for system users.
  4. External authentication disabled for system users with local authentication enabled.
  5. External authentication enabled and local authentication enabled for system users.
  6. External authentication enabled for selected LDAP users

Use case 1: Two factor authentication (2FA) across Citrix ADC, GUI, CLI, API and SSH interfaces

Two-factor authentication is enabled and available across all Citrix ADC management access for GUI, API, and SSH.

Use case 2: Two factor authentication supported on external authentication servers such as LDAP, RADIUS, Active Directory and TACACS

You can configure two-factor authentication on the following external authentication servers for first-level and second-level user authentication.

  • RADIUS
  • LDAP
  • Active Directory
  • TACACS

Use case 3: External authentication enabled and local authentication disabled for system users

You begin the authentication process by enabling the external authentication option and disabling local authentication for system users.

External authentication enabled and local authentication disabled for system users

Complete the following steps by using the command line interface:

  1. Add authentication action for LDAP policy
  2. Add authentication policy for LDAP policy
  3. Add authentication action for RADIUS policy
  4. Add authentication policy for RADIUS policy
  5. Add authentication login schema
  6. Add and bind authentication policy label to RADIUS server
  7. Bind system global authentication for LDAP policy
  8. Disable local authentication in system parameter

Add authentication action for LDAP server (first level authentication)

At the command prompt, type:

add authentication ldapaction <ldap action name> -serverip <IP> -ldapbase <> -ldapbinddn <binddn name> -ldapbinddnpassword <password>-ldaploginname <loginname> -groupattrname <grp attribute name> -subAttributename <string>-ssoNameAttribute <string>

Example:

add authentication ldapaction ldapact1 -serverip 1.1.1.1 -ldapbase base -ldapbindDn name -ldapbindDNpassword password -ldapLoginName name -groupAttrName name -subAttributeName name -ssoNameAttribute name

Add authentication policy for LDAP server (first level authentication)

At the command prompt, type: add authentication policy <ldap policy name> -rule true -action <ldap action name>

Example: add authentication policy pol1 -rule true -action ldapact1

Add authentication action for RADIUS server (second level authentication)

At the command prompt, type:

add authentication radiusaction <rad action name> -serverip <rad server ip> -radkey <key> -radVendorID <ID >-radattributetype <rad attribute type>

Example:

add authentication radiusaction radact1 -serverip 1.1.1.1 -radkey 123 -radVendorID 1234 -radAttributeType 2

Add authentication policy for RADIUS server (second level authentication)

At the command prompt, type:

add authentication policy <radius policy name> -rule true -action <rad action name>

Example:

add authentication policy radpol11 -rule true -action radact1

Add authentication login schema

You can use the “SingleAuth.xml” login schema for system users to provide the second password for the Citrix ADC appliance. At the command prompt, type:

add authentication loginSchema <login schema name> -authenticationSchema LoginSchema/SingleAuth.xml

Example:

add authentication loginSchema radschema -authenticationSchema LoginSchema/SingleAuth.xml

Add and bind authentication policy label to RADIUS server

At the command prompt, type:

add authentication policylabel <labelName> [-type ( AAATM_REQ | RBA_REQ )] [-comment <string>][-loginSchema <string>]

bind authentication policylabel <labelName> -policyName <string> -priority <positive_integer> [-gotoPriorityExpression <expression>][-nextFactor <string>]

Example:

add authentication policylabel label1 -type RBA_REQ -loginSchema radschema

bind authentication policylabel label1 -policyName radpol11 -priority 1

Bind authentication system global for LDAP policy

At the command prompt, type:

bind system global ldappolicy -priority <priority> -nextFactor <policy label name>

Example:

bind system global pol11 -priority 1 -nextFactor label1

Disable local authentication in system parameter

At the command prompt, type:

set system parameter -localauth disabled

Use case 4: External authentication enabled for system user with local authentication policy attached

In this scenario, the user is allowed to log on to the appliance using two-factor authentication with local authentication policy evaluation at the second level of user identification.

External authentication enabled for system user with local authentication policy attached

Complete the following steps by using the command line interface.

  1. Add authentication action for LDAP server
  2. Add authentication policy for LDAP policy
  3. Add local authentication policy
  4. Add authentication policy label
  5. Bind LDAP policy as system global
  6. Disable local authentication in system parameter

Add authentication action for LDAP server (first level authentication)

At the command prompt, type:

add authentication ldapaction <ldap action name> -serverip <IP> -ldapbase <> -ldapbinddn <binddn name> -ldapbinddnpassword <password>-ldaploginname <loginname> -groupattrname <grp attribute name> -subAttributename <string>-ssoNameAttribute <string>

Example:

add authentication ldapaction ldapact1 -serverip 1.1.1.1 -ldapbase base -ldapbindDn name -ldapbindDNpassword password -ldapLoginName name -groupAttrName name -subAttributeName name -ssoNameAttribute name –ssoNameAttribute name

Add authentication policy for LDAP server (first level authentication)

At the command prompt, type:

add authentication policy <ldap policy name> -rule true -action <ldap action name>

Example:

add authentication ldapaction ldapact1 -serverip 1.1.1.1 -ldapbase base -ldapbindDn name -ldapbindDNpassword password -ldapLoginName name -groupAttrName name -subAttributeName name -ssoNameAttribute name

Add local authentication policy for system users (second level authentication)

At the command prompt, type:

add authentication policy <policy> -rule <rule> -action <action name>

Example:

add authentication policy local_policy -rule true -action LOCAL

Add and bind authentication policy label

At the command prompt, type:

add authentication policylabel <labelName> [-type ( AAATM_REQ | RBA_REQ )] [-comment <string>][-loginSchema <string>] bind authentication policylabel <labelName> -policyName <string> -priority <positive_integer> [-gotoPriorityExpression <expression>][-nextFactor <string>]

Note

For management access, the policy type must be RBA_REQ.

Example:

add authentication policylabel label1 -type RBA_REQ -loginSchema radschema bind authentication policylabel label1 -policyName radpol11 -priority 1 -gotoPriorityExpression NEXT

Disable local authentication in system parameter

At the command prompt, type:

set system parameter -localauth disabled

Use case 5: External authentication disabled and local authentication enabled for system user

If the user has “externalAuth” disabled, it indicates that the user does not exist on the authentication server. User is not authenticated with the external authentication server even if a user with the same user name exists on the external authenticated server. User is authenticated locally.

External authentication disabled and local authentication enabled for system user

To enable system user password and disable external authentication

At the command prompt, type the following:

add system user <name> <password> -externalAuth DISABLED

Example:

add system user user1 password1 –externalAuth DISABLED

Use case 6: External authentication enabled and local authentication enabled for system users

To configure the appliance to authenticate system users by using a local password. If this authentication fails, the user is then authenticated by using an external authentication password on the external authentication servers at two levels.

External authentication enabled and local authentication enabled for system users

Configure the following steps by using the CLI.

  1. Add authentication action for LDAP server
  2. Add authentication policy for LDAP policy
  3. Add authentication action for RADIUS policy
  4. Add authentication policy for RADIUS policy
  5. Add authentication login schema
  6. Add authentication policy label
  7. Bind authentication policy label for login schema
  8. Bind authentication system global for RADIUS policy
  9. Bind authentication system global for LDAP policy

Add authentication action for LDAP server

At the command prompt, type:

add authentication ldapaction <ldap action name> -serverip <IP> -ldapbase <> -ldapbinddn <binddn name> -ldapbinddnpassword <password>-ldaploginname <loginname> -groupattrname <grp attribute name> -subAttributename <>-ssoNameAttribute <>

Example:

add authentication ldapaction ldapact1 -serverip 1.1.1.1 -ldapbase base -ldapbindDn name -ldapbindDNpassword password -ldapLoginName name -groupAttrName name -subAttributeName name -ssoNameAttribute name

Add authentication policy for LDAP policy

At the command prompt, type:

add authentication policy <policy name> --rule true -action <ldap action name>

Example:

add authentication policy pol1 -rule true -action ldapact1

Add authentication action for RADIUS server

At the command prompt, type:

add authentication radiusaction <rad action name> -serverip <rad server ip> -radkey <key> -radVendorID <ID >-radattributetype <rad attribute type>

Example:

add authentication radiusaction radact1 -serverip 1.1.1.1 -radkey 123 -radVendorID 1234 -radAttributeType 2

Add advanced authentication policy for RADIUS server

At the command prompt, type:

add authentication policy <policy name> -rule true -action <rad action name>

Example:

add authentication policy radpol11 -rule true -action radact1

Add authentication login schema

You can use the SingleAuth.xml login schema to display the login page and authenticate the system user at the second level authentication.

At the command prompt, type:

add authentication loginSchema <name> -authenticationSchema <string>

Example:

add authentication loginSchema radschema -authenticationSchema LoginSchema/SingleAuth.xml

Add and bind authentication policy label to RADIUS authentication policy for user login

At the command prompt, type:

add authentication policylabel <labelName> [-type ( AAATM_REQ | RBA_REQ )] [-comment <string>][-loginSchema <string>]

Example:

add authentication policylabel label1 -type RBA_REQ -loginSchema radschema bind authentication policylabel <labelName> -policyName <string> -priority <positive_integer> [-gotoPriorityExpression <expression>][-nextFactor <string>]

Example:

bind authentication policylabel label1 -policyName rad pol11 -priority 1

Bind authentication policy global

At the command prompt, type:

bind system global [<policyName> [-priority <positive_integer>] [-nextFactor <string>] [-gotoPriorityExpression <expression>]]

Example:

bind system global radpol11 -priority 1 -nextFactor label11

Use case 7: External authentication enabled for selected external users only

To configure selective external users with two-factor authentication as per the search filter configured in the LDAP action while other system users are authenticated using single factor authentication.

Configure the following steps by using the CLI.

  1. Add authentication action for LDAP server
  2. Add authentication policy for LDAP policy
  3. Add authentication action for RADIUS policy
  4. Add authentication policy for RADIUS policy
  5. Add authentication login schema
  6. Add authentication policy label
  7. Bind authentication policy label for login schema
  8. Bind authentication system global for RADIUS policy

Add authentication action for LDAP server

At the command prompt, type:

add authentication ldapaction <ldap action name> -serverip <IP> -ldapbase <> -ldapbinddn <binddn name> -ldapbinddnpassword <password>-ldaploginname <loginname> -groupattrname <grp attribute name> -subAttributename <>-ssoNameAttribute <>

Example:

add authentication ldapaction ldapact1 -serverip 1.1.1.1 -ldapbase base -ldapbindDn name -ldapbindDNpassword password -ldapLoginName name -groupAttrName name -subAttributeName name -ssoNameAttribute name

Add authentication policy for LDAP policy

At the command prompt, type:

add authentication policy <policy name> --rule true -action <ldap action name>

Example:

add authentication policy pol1 -rule true -action ldapact1

Add authentication action for RADIUS server

At the command prompt, type:

add authentication radiusaction <rad action name> -serverip <rad server ip> -radkey <key> -radVendorID <ID >-radattributetype <rad attribute type>

Example:

add authentication radiusaction radact1 -serverip 1.1.1.1 -radkey 123 -radVendorID 1234 -radAttributeType 2

Add advanced authentication policy for RADIUS server

At the command prompt, type:

add authentication policy <policy name> -rule true -action <rad action name>

Example:

add authentication policy radpol11 -rule true -action radact1

Add authentication login schema

You can use the SingleAuth.xml login schema to provide the login page for the appliance to authenticate a system user at a second level of authentication.

At the command prompt, type:

add authentication loginSchema <name> -authenticationSchema <string>

Example:

add authentication loginSchema radschema -authenticationSchema LoginSchema/SingleAuth.xml

Add and bind authentication policy label to RADIUS authentication policy for user login

At the command prompt, type:

add authentication policylabel <labelName> [-type ( AAATM_REQ | RBA_REQ )] [-comment <string>][-loginSchema <string>]

Example:

add authentication policylabel label1 -type RBA_REQ -loginSchema radschema bind authentication policylabel <labelName> -policyName <string> -priority <positive_integer> [-gotoPriorityExpression <expression>][-nextFactor <string>]

Example:

bind authentication policylabel label1 -policyName radpol11 -priority

Bind authentication policy global

At the command prompt, type:

bind system global [<policyName> [-priority <positive_integer>] [-nextFactor <string>] [-gotoPriorityExpression <expression>]]

Example:

bind system global radpol11 -priority 1 -nextFactor label11

To configure without two-factor authentication for group users using the search filter:

  1. Add authentication action for LDAP server
  2. Add authentication policy for LDAP server
  3. Bind authentication system global for LDAP server

Add authentication action for LDAP server

At the command prompt, type:

add authentication ldapaction <ldap action name> -serverip <IP> -ldapbase <> -ldapbinddn <binddn name> -ldapbinddnpassword <password>-ldaploginname <loginname> -groupattrname <grp attribute name> -subAttributename <>-searchFilter<>

Example:

add authentication ldapaction ldapact1 -serverip 1.1.1.1 -ldapbase base -ldapbindDn name -ldapbindDNpassword password -ldapLoginName name -groupAttrName name -subAttributeName name - searchFilter "memberOf=CN=grp4,CN=Users,DC=aaatm-test,DC=com"

Add authentication policy for LDAP server

At the command prompt, type:

add authentication policy <policy name> --rule true -action <ldap action name>

Example:

add authentication policy pol1 -rule true -action ldapact1

Bind authentication system global for LDAP policy

At the command prompt, type:

bind system global ldappolicy -priority <priority> -nextFactor <policy label name>

Example:

bind system global pol11 -priority 1 -nextFactor label11

Display customized prompt message for two factor authentication

When you configure two factor password field with SingleAuth.xml file at /flash/nsconfig/loginschema/LoginSchema

Following is the snippet of a SingleAuth.xml file where ‘SecondPassword:’ is the second password field name which is prompted to the user to enter a second password.

<?xml version="1.0" encoding="UTF-8"?>
<AuthenticateResponse xmlns="http://citrix.com/authentication/response/1">
<Status>success</Status>
<Result>more-info</Result>
<StateContext/>
<AuthenticationRequirements>
<PostBack>/nf/auth/doAuthentication.do</PostBack>
<CancelPostBack>/nf/auth/doLogoff.do</CancelPostBack>
<CancelButtonText>Cancel</CancelButtonText>
<Requirements>
<Requirement><Credential><ID>login</ID><SaveID>ExplicitForms-Username</SaveID><Type>username</Type></Credential><Label><Text>singleauth_user_name</Text><Type>nsg-login-label</Type></Label><Input><AssistiveText>singleauth_please_supply_either_domain\username_or_user@fully.qualified.domain</AssistiveText><Text><Secret>false</Secret><ReadOnly>false</ReadOnly><InitialValue/><Constraint>.+</Constraint></Text></Input></Requirement>
<Requirement><Credential><ID>passwd</ID><SaveID>ExplicitForms-Password</SaveID><Type>password</Type></Credential><Label><Text>SecondPassword:</Text><Type>nsg-login-label</Type></Label><Input><Text><Secret>true</Secret><ReadOnly>false</ReadOnly><InitialValue/><Constraint>.+</Constraint></Text></Input></Requirement>
<Requirement><Credential><Type>none</Type></Credential><Label><Text>singleauth_first_factor</Text><Type>nsg_confirmation</Type></Label><Input/></Requirement>
<Requirement><Credential><ID>saveCredentials</ID><Type>savecredentials</Type></Credential><Label><Text>singleauth_remember_my_password</Text><Type>nsg-login-label</Type></Label><Input><CheckBox><InitialValue>false</InitialValue></CheckBox></Input></Requirement>
<Requirement><Credential><ID>loginBtn</ID><Type>none</Type></Credential><Label><Type>none</Type></Label><Input><Button>singleauth_log_on</Button></Input></Requirement>
</Requirements>
</AuthenticationRequirements>
</AuthenticateResponse>
<!--NeedCopy-->

Configuring two-factor authentication by using the Citrix ADC GUI

  1. Log on to Citrix ADC appliance.
  2. Go to System > Authentication > Advanced Policies > Policy.
  3. Click Add to create the first level authentication policy.
  4. In Create Authentication Policy page, set the following parameters.
    1. Name. Name of the policy
    2. Action Type. Select action type as LDAP, Active Directory, RADIUS, TACACS, and so on
    3. Action. The authentication action (profile) to associate with the policy. You can choose an existing authentication action, or click the plus and create an action of the proper type.
    4. Expression. Provide an advanced policy expression.
  5. Click Create and then Close.
    1. Expression. Provide an advanced policy expression.
  6. Click Create.
  7. Click Add to create the second level authentication policy.
  8. In the Create Authentication Policy page, set the following parameters:
    1. Name. Name of the policy
    2. Action Type. Select action type as LDAP, Active Directory, RADIUS, TACACS, and so on
    3. Action. The authentication action (profile) to associate with the policy. You can choose an existing authentication action, or click the + icon to create an action of the proper type.
    4. Expression. Provide an advanced policy expression
  9. Click Create and then Close.
    1. Expression. Provide an advanced policy expression.
  10. Click Create.
  11. In the Authentication Policies page, click Global Binding.
  12. In the Create Global Authentication Policy Binding page, select the first level authentication policy, and click Add Binding.
  13. In the Policy Binding page, select the authentication policy and set the following policy binding parameter.
    1. Next Factor. Select the second level authentication policy label.
  14. Click Bind and Close.

    GUI configuration for two factor authentication for system users

  15. Click Done.
  16. Log on to the Citrix ADC appliance for the second level authentication. The user can now provide the second password. Only if both passwords are correct, the user is allowed to access the Citrix ADC appliance.

Note

The TACACS configured for a second factor authentication does not support authorization and accounting even if you enable it on the “tacacsAction” command. The second factor is used for the authentication purpose only.

Also, see Two factor authentication in Citrix ADC nFactor authentication topic.