Configure post-authentication Endpoint Analysis scan as a factor in Citrix ADC nFactor authentication
On Citrix Gateway, Endpoint Analysis (EPA) can be configured to check if a user device meets certain security requirements and accordingly allow internal resources access to the user. The Endpoint Analysis plug-in downloads and installs on the user device when users log on to Citrix Gateway for the first time. If a user does not install the Endpoint Analysis plug-in on the user device or chooses to skip the scan, the user cannot log on with the Citrix Gateway plug-in. Optionally, users can be put in a quarantine group where the user gets limited access to internal network resources.
Previously post-EPA was configured as part of session policy. Now it can be linked to nFactor providing more flexibility, as to when it can be performed.
In this topic, EPA scan is used as a final check in a nFactor or multifactor authentication.
User tries to connect to Citrix Gateway virtual IP address. A simple login page with user name and password field is rendered to user to provide login credentials. With these credentials, LDAP or AD-based authentication is performed at the back end. If successful, user is presented with a popup message to authorize EPA scan. Once user authorizes, EPA scan is performed and based on the success or failure of user client settings, user is provided access.
It is assumed that following configuration are in place.
- VPN virtual server/gateway and authentication virtual server configurations
- LDAP server configurations and associated policies
Note: The setup can also be created through the nFactor Visualizer available in Citrix ADC version 13.0 and later.
The following image shows mapping of policies and policy label. This is the approach used for configuration, but from right to left.
Perform the following by using the CLI
Create an action to perform EPA scan and associate it with an EPA scan policy.
add authentication epaAction EPA-client-scan -csecexpr "sys.client_expr (\"app_0_MAC-BROWSER_1001_VERSION_<=_10.0.3\")||sys.client_expr(\"os_0_win7_sp_1\")"
The above expression scans if macOS users have browser version less than 10.0.3 or if Windows 7 users have Service pack 1 installed.
add authentication Policy EPA-check -rule true -action EPA-client-scan
Configure policy label post-ldap-epa-scan that hosts the policy for EPA scan.
add authentication policylabel post-ldap-epa-scan -loginSchema LSCHEMA_INT
Note: LSCHEMA_INT is an in-built schema with no schema (noschema), meaning no additional webpage is presented to user at this step.
Associate policy configured in step 1 with policy label configured in step 2.
bind authentication policylabel post-ldap-epa-scan -policyName EPA-check - priority 100 -gotoPriorityExpression END
Configure ldap-auth policy to and associate it with an LDAP policy which is configured to authenticate with a particular LDAP server.
add authentication Policy ldap-auth -rule true -action ldap_server1
where ldap_server1 is LDAP policy and ldap-auth is the policy name
Associate ldap-auth policy to authentication, authorization, and auditing virtual server with next step pointing to policy label post-ldap-epa-scan to perform EPA scan.
bind authentication vserver MFA_AAA_vserver -policy ldap-auth -priority 100 -nextFactor post-ldap-epa-scan -gotoPriorityExpression NEXT
Note: Pre-authentication EPA scan is always performed as the first step in nFactor authentication. Post-authentication EPA scan is always performed as the last step in nFactor authentication. EPA scans cannot be performed in between a nFactor authentication.
Configuring using the nFactor Visualizer
The above configuration can also be performed using nFactor Visualizer, which is a feature available on firmware 13.0 and later.
NAvigate to Security > AAA-Application Traffic > nFactor Visualizer > nFactor Flow and click Add.
Click + to add the nFactor flow.
Add a factor. The name that you enter is the name of the nFactor flow.
Click Add Schema to add a schema for the first factor and then click Add.
Click Add Policy to add the LDAP policy. If the LDAP policy is already created, you can select the same.
Note: You can create an LDAP policy. Click Add and in the Action field, select LDAP. For more details about adding an LDAP server, see https://support.citrix.com/article/CTX123782)
Click + to add the EPA factor.
Leave the Add Schema section blank, to have the default no schema applied for this factor. Click Add policy to add the post auth EPA policy and action.
After the nFactor flow is complete, bind this flow to the authentication, authorization, and auditing virtual server.