Citrix ADC

Polling during authentication

Starting from Citrix ADC release build 13.0.79.64, a Citrix ADC appliance can be configured for Polling mechanism during multifactor authentication.

If Polling is configured on a Citrix ADC appliance, endpoints (like a web browser or an app) can poll (probe) the appliance during authentication at the configured intervals to get the status of the submitted authentication request.

Polling can be configured to handle authentications when an endpoint drops a TCP connection while authenticating with a Citrix ADC appliance.

Points to note

  • The Polling configuration is supported for LDAP, RADIUS, and TACACS authentication methods.

  • Client can probe authentication requests from second factor onwards.

Why configure Polling?

Sometimes while authenticating, switching between the apps (for example a login app and an authenticator app) causes endpoints to lose connection with the Citrix ADC appliance leading to a break in the authentication flow. With Polling configured, this break in authentication can be avoided.

Understanding the Polling mechanism

The following is an example for the flow of events during authentication without Polling configured.

The Polling mechanism enables a Citrix ADC appliance to resume an ongoing authentication with the endpoint without having to restart the authentication process in a rare case of a TCP connection reset at the endpoint.

Polling-current

  1. An endpoint (App or Web browser) authenticates with credentials.
  2. The user name and password is verified against an existing first factor directory (LDAP/Active Directory).
  3. If the correct credentials are supplied, the authentication moves to the next factor.
  4. At this point, the Citrix ADC appliance sends request to the RADIUS Push server.
  5. While the Citrix ADC appliance waits for a response from the RADIUS server, the endpoint drops TCP connection.
  6. The Citrix ADC receives a response from the RADIUS Push server.
  7. As no client TCP connection is found, the Citrix ADC appliance drops session and the login fails.

The following is an example for the flow of events during authentication with Polling configured.

Poling-new

  1. An endpoint (App or Web browser) authenticates with credentials.
  2. The user name and password is verified against an existing first factor directory (LDAP/Active Directory).
  3. If the correct credentials are supplied, the authentication moves to the next factor.
  4. At this point, the Citrix ADC appliance sends request to the RADIUS Push server.
  5. While the Citrix ADC appliance waits for a response from the RADIUS server, the endpoint drops TCP connection.
  6. Endpoint sends a poll (probe) to the Citrix ADC appliance to check for the authentication status.
  7. As the Citrix ADC appliance does not hear back from the RADIUS server, it requests the endpoint to continue polling.
  8. The Citrix ADC appliance receives response from the RADIUS Push server.
  9. As no client TCP connection is found, ADC saves the session state.
  10. Endpoint again polls to check for the authentication status.
  11. Citrix ADC appliance establishes the session and the login succeeds.

Configure Polling using CLI

The following is a sample CLI configuration.

Configure First factor

add authentication ldapAction ldap-new -serverIP 10.106.40.65 -serverPort 636 -ldapBase "dc=aaatm-test,dc=com" -ldapBindDn administrator@aaatm-test.com -ldapBindDnPassword 2f63d3659103464a4fad0ade65e2ccfd4e8440e36ddff941d29796af03e01139 -encrypted -encryptmethod ENCMTHD_3 -ldapLoginName sAMAccountName -groupAttrName memberof -subAttributeName CN -secType SSL -alternateEmailAttr userParameters

add authentication Policy ldap-new -rule true -action ldap-new

bind authentication vserver avs -policy ldap-new -priority 1 -nextFactor rad_factor

Configure Second factor

add authentication radiusAction rad1 -serverIP 10.102.229.120 -radKey 1b1613760143ce2371961e9a9eb5392c86a4954a62397f29a01b5d12b42ce232 -encrypted -encryptmethod ENCMTHD_3

add authentication Policy rad -rule true -action rad1

Configure Poll.xml login schema

add authentication loginSchema polling_schema -authenticationSchema LoginSchema/Poll.xml

add authentication policylabel rad_factor -loginSchema polling_schema

bind authentication policylabel rad_factor -policyName rad -priority 1 -gotoPriorityExpression NEXT

Configure Polling using GUI

For detailed steps on configuring multifactor authentication using GUI see, Configuring nFactor authentication

Following are the sample high level steps required for configuring Citrix ADC for Polling from second factor onwards.

  1. Create a first factor for authentication, for example LDAP.
  2. Create a second factor for authentication, for example RADIUS.
  3. Add Poll.xml present in Citrix ADC (/nsconfig/loginschema/LoginSchema/) as login schema for the second factor.
Polling during authentication