Product Documentation

Multi-Factor (nFactor) Authentication

Aug 31, 2016

Important

Supported from NetScaler 11.0 Build 62.x onwards.

Multi-factor authentication enhances the security of an application by requiring users to provide multiple proofs of identify to gain access. The NetScaler appliance provides an extensible and flexible approach to configuring multi-factor authentication. This approach is called nFactor authentication.

With nFactor authentication you can:

  • Configure any number of authentication factors.
  • Base the selection of the next factor on the result of executing the previous factor.
  • Customize the login interface. For example, you can customize the label names, error messages, and help text.
  • Extract user group information without doing authentication.
  • Configure pass-through for an authentication factor. This means that no explicit login interaction is required for that factor.
  • Configure the order in which different types of authentication are applied. Any of the authentication mechanisms that are supported on the NetScaler appliance can be configured as any factor of the nFactor authentication setup. These factors are executed in the order in which they are configured.
  • Configure the NetScaler to proceed to an authentication factor that must be executed when authentication fails. To do so, you configure another authentication policy with the exact same condition, but with the next highest priority and with the action set to "NO_AUTH". You must also configure the next factor, which must specify the alternative authentication mechanism to apply.

For a nFactor benefit, see One Public IP for AAA-TM Deployments on NetScaler.

Sample deployments using nFactor authentication:

  • Getting two passwords up-front, pass-through in next factor. Read
  • Group extraction followed by certificate or LDAP authentication, based on group membership. Read
  • SAML followed by LDAP or certificate authentication, based on attributes extracted during SAML. Read
  • SAML in first factor, followed by group extraction, and then LDAP or certificate authentication, based on groups extracted. Read
  • Prefilling user name from certificate. Read
  • Certificate authentication followed by group extraction for 401 enabled traffic management virtual servers. Read
  • Username and 2 passwords with group extraction in third factor. Read
  • Certificate fallback to LDAP in same cascade; one virtual server for both certificate and LDAP authentication. Read
  • LDAP in first factor and WebAuth in second factor. Read
  • Domain drop down in first factor, then different policy evaluations based on group. Read