Contextual tags

The Secure Private Access plug-in provides contextual access (smart access) to Web or SaaS applications based on the user session context such as device platform and OS, installed software, geolocation.

Administrators can add conditions with contextual tags to the access policy. The contextual tag on the Secure Private Access plug-in is the name of a NetScaler Gateway policy (session, preauthentication, EPA) that is applied to the sessions of the authenticated users.

The Secure Private Access plug-in can receive smart access tags as a header (new logic) or by making callbacks to Gateway. For details, see Smart access tags.

Note:

  • Starting from NetScaler Gateway 14.1-25.x and later, nFactor EPA policies are supported.
  • If your NetScaler Gateway version is lower than 14.1-25.x, then only classic gateway preauthentication policies can be configured on NetScaler Gateway.

Configure custom tags using the GUI

The following high-level steps are involved in configuring contextual tags.

  1. Configure a classic gateway preauthentication policy
  2. Bind the classic preauthentication policy to the gateway virtual server

Configure a classic gateway preauthentication policy

  1. Navigate to NetScaler Gateway > Policies > Preauthentication and then click Add.

  2. Select an existing policy or add a name for the policy. This policy name is used as the custom tag value.
  3. In Request Action, click Add to create an action. You can reuse this action for multiple policies, for example, use one action to allow access, another to deny access.

    Add preauthentication policy

  4. Fill in the details in the required fields and click Create.
  5. In Expression, enter the expression manually or use the Expression editor to construct an expression for the policy.

    Expression sample

    The following figure displays a sample expression constructed for checking the Windows 10 OS.

    Expression editor

  6. Click Create.

Bind the custom tag to NetScaler Gateway

  1. Navigate to NetScaler Gateway > Virtual Servers.
  2. Select the virtual server for which the preauthentication policy is to be bound and then click Edit.
  3. In the Policies section, click + to bind the policy.
  4. In Choose Policy, select the preauthentication policy and select Request in Choose Type.

    Policy type

  5. Select the policy name and the priority for the policy evaluation.
  6. Click Bind.

    Policy binding

Configure custom tags using the CLI

Run the following sample commands on the NetScaler CLI to create and bind a preauthentication policy:

  • add aaa preauthenticationaction win10_prof ALLOW
  • add aaa preauthenticationpolicy Windows10 "CLIENT.OS(win10) EXISTS" win10_prof
  • bind vpn vserver _SecureAccess_Gateway -policy Windows10 -priority 100

Run the following sample command on the NetScaler CLI to configure nFactor EPA policy:

  • add authentication epaAction epaallowact -csecexpr "sys.client_expr(\"proc_0_notepad.exe\")" -defaultEPAGroup allow_app -quarantineGroup deny_app
  • add authentication Policy epaallow -rule true -action epaallowact

Adding a new contextual tag

  1. Open the Secure Private Access admin console and click Access Policies.
  2. Create a new policy or edit an existing policy.
  3. In the Condition section, click Add condition and select Contextual Tags, Matches all of, and then enter the contextual tag name (for example, Windows10).

Note on EPA tags sent to Secure Private Access plug-in

The EPA action name configured in nFactor EPA policy and the associated group name as smart access tags to the Secure Private Access plug-in. However, the tags that are sent are dependent on the outcome of the EPA action evaluation.

  • If all EPA actions in an nFactor EPA policy results in action DENY and a quarantine group is configured in the last action, the quarantine group name is sent as the smart access.
  • If an EPA action in an nFactor EPA policy results in action ALLOW, the EPA policy names associated with the action and the default group name (if configured) are sent as the smart access tags.

Smart access tags

In this example, when the action is denied, deny_app is sent as the smart access tag to the Secure Private Access plug-in. When the action is allowed, epaallowact and allow_app, are sent as the smart access tags to the Secure Private Access plug-in.

References