ADC

Configure nFactor for applications with different login site requirements including step-up authentication

Usually, a Citrix Gateway allows access to multiple applications. Depending on the security requirements, they can have different authentication mechanism. Some applications might only need a single factor like a common intranet. Other applications like; SAP or HR tools with more critical data must have at least a multifactor authentication. However, the most users access only intranet, so multi-factor for all applications is not the right choice.

This topic describes how to change login mechanism dynamically based on the needs of the user who wants to access the application. Also, describe the steps to set up authentication.

Prerequisites

Before you configure the Citrix Gateway, review the following prerequisites.

  • Citrix ADC Advanced license edition.
  • NetScaler feature release version is 11.1 and later.
  • LDAP server.
  • RADIUS server.
  • Public IP address.

In the configuration example, you use two applications with the following authentication requirements.

  • Web application green
    • Requirement - user name + LDAP password
  • Web application red
    • Requirement - user name + LDAP password + RADIUS pin

Note

Next to LDAP and RADIUS, you can use other authentication methods like, user certificates, TACACS, or SAML is possible.

Basic setup

  1. Add none addressable load balancing virtual servers and services for both web applications.

    • Load balancing virtual servers

      Load balancing virtual server

    • Services

      Load balancing virtual server

  2. Add basic none addressable authentication, authorization, and auditing virtual server for logon. No need of more configuration at this moment.

    Load balancing virtual server

  3. Add Content Switching virtual server of type SSL with public IP. On this IP address, you need DNS records for each application that you want to access and for authentication, authorization, and auditing virtual server as well. In this example, you use the following DNS names:
    • green.lab.local - Application Green
    • red.lab.local -> Application Red
    • aaa.lab.local -> authentication, authorization, and auditing virtual server

    Load balancing virtual server

    • Bind an SSL certificate with matching CN or SAN for all DNS records.
  4. Add content switch policies to the virtual server. One for each application, which must match the individual host name. This is how the Citrix ADC determines which application the user wants to access. In addition, add another policy for authentication, authorization, and auditing with expression “true”.

    Load balancing virtual server

  5. Ensure the authentication, authorization, and auditing policy has the highest priority. Otherwise, it would not be possible to access the applications.

  6. Add content switch actions for each policy pointing on the matching virtual server. In this example on each load balancing virtual server and one authentication virtual server.

    Load balancing virtual server

Authentication level configuration

After completing the basic virtual servers and content switching setup, you enable the authentication and doing the strong or weak definition for your applications.

  1. Navigate to Load Balancing Virtual Server for application Red and enable “Form Based Authentication”. And add an authentication profile.

    Load balancing virtual server

    Load balancing virtual server

  2. Enter the defined authentication, authorization, and auditing virtual server host name for redirection when a user wants to access the application, and has no existing session.

  3. Choose authentication virtual server as type and bind authentication, authorization, and auditing virtual server.

  4. Define an authentication level to configure whether an application is stronger or weaker than another. A session at the given level of 100 can access virtual servers with a lower level without reauthenticating. On the other hand, this session is forced to authenticate once again if the user tries to access a virtual server with a higher level.

    Configure auth profile

  5. Repeat step 1–4 with application Green.

  6. Navigate to Security > AAA - Application Traffic > Authentication Profiles to add Authentication Profile.

    Configure auth profiles

    One profile for each application, both pointing on the authentication, authorization, and auditing virtual server host name. In the example, application Red is stronger (Level 100) than application Green (Level 90). Means a user with an existing session for Red can access Green without reauthentication. The other way around a user who accessed Green at first must reauthenticate for application Red.

nFactor configuration for multifactor authentication

  1. Navigate to Security > AAA - Application Traffic > Login Schema > Profiles to add three login schemas and to achieve the needed Citrix ADC logon page.

    • Schema for normal LDAP authentication
      • Select SingleAuth XML to present the two fields. One for user name and the second for LDAP password.
      • Ensure to save user name at index 1 and password at index 2. This is important for doing LDAP reauth, when a user is accessing application Red after application Green.
    • Schema for LDAP reauthentication

      • Select “noschema” because the user does not see the process of LDAP reauthentication.
      • Populate User and Password expression with the attribute fields that you defined in the first schema.

        Configure auth profiles

    • Schema for RADIUS authentication
      • Select “OnlyPassword XML” to present only one field for RADIUS pin. User name is not necessary due to first LDAP login.

        Configure auth login schema

  2. The next step is to add all needed Authentication Policies to control the behavior of our login mechanism. Navigate to Security > AAA - Application Traffic > Policies > Authentication > Policy.

    • Add default LDAP policy with required LDAP server.

      Configure auth policy

    • Add default RADIUS policy with required RADIUS server.

      Configure auth policy

    • Add a third authentication policy with action type “NO_AUTH” and expression “true”. This policy will have no effect than bridging to the next factor.

      Configure auth policy

    • Fourth policy evaluates whether a user wants to access the stronger application Red or not. This is important to do a multifactor authentication for Red.
      • Select “LDAP” as action type and choose your LDAP server.
      • The expression evaluates whether it is application Red by checking the cookie NSC_TMAP. The user issues this cookie by accessing the Citrix ADC logon site and contains the name of the authentication profile bound to the accessed load balancing virtual server.

        LDAP virtual server policy

        Citrix logon page

    • Last policy checks whether the user has saved credentials from a first weaker login. This is important for automatic LDAP relogin when a user at first accessed the weaker application and now wants to start the stronger one.

      Citrix logon page

  3. You add some policy labels for binding all the preceding Authentication Policies and Login Schemas. Navigate to Security > AAA - Application Traffic > Policies > Authentication > PolicyLabel.

    • ​At first, start with the label for RADIUS authentication.

      • Give an appropriate name for the label, and select the earlier schema for RADIUS and click Continue.

        Policy label

      • Last step for this label is to bind the default RADIUS authentication policy.

        Policy label

    • The second label does the LDAP relogin.
      • Add the label and bind the relogin schema.

        Relogin schema

      • Bind the LDAP authentication policy and set the RADIUS Policy Label as next factor.

        Bind LDAP auth policy

    • Add the last label for first LDAP authentication.
      • Select the appropriate schema and click Continue.

        Select auth policy label

      • Bind the first policy for strong authentication and set Goto Expression to “End”. Select the RADIUS policy label as next factor.

      • Second policy is for weak Green authentication without RADIUS.

      • Ensure the priority of the binding.

    • Configure authentication, authentication, and auditing. Navigate to Security > AAA - Application Traffic > Virtual Servers.

      • Open the previously added virtual server and set the favored Portal Theme.

        Select auth policy label

      • Bind the last two remaining authentication policies directly at the virtual server.

        Advance auth policy

      • Bind relogin policy with “NO_AUTH” and LDAP relogin policy label as next factor. This is for doing the automatic LDAP reauth with an existing session.
      • Set second policy to bridge directly to next factor LDAP when no session is existed before.
      • As always, set the right priorities.

        Priority auth policy

Note

The step-up can also be created through the nFactor Visualizer available in Citrix ADC version 13.0 and later.

nFactor visualizer set up auth

Multifactor authentication configuration through nFactor Visualizer

  1. Navigate to Security > AAA-Application Traffic > nFactor Visualizer > nFactor Flow and click Add.
  2. Click + sign to add the nFactor Flow.

    Add nFactor flow

  3. Enter the first factor name and click Create.

    Create first factor

  4. No Schema is needed for the first factor. Click Add Policy to add NO_AUTH policy as shown in step 2 of the multifactor authentication configuration.

    Choose policy add

  5. Click blue + to add second authentication.

    Second authentication

  6. Choose authentication policy created and click Add.

    Policy add choose

  7. Click green + to add a next factor.

    Policy adds

  8. To add next authentication factor, select Create Factor enter the Factor Name and click Create.

    Create factor relogin

  9. To add a schema, click Add Schema.

    Add step auth

  10. Choose the created schema in (multifactor authentication configuration), and click OK.

    Auth login schema

  11. Click Add Policy and choose the authentication policy.

    LDAP adds auth

  12. Click green + to add another factor for RADIUS authentication.

    Auth login schema

  13. Create another factor by following step 8.

  14. Click Add Schema and choose schema for the password only from the list.

    Password schema list

  15. Click Add Policy to choose RADIUS authentication and click Add.

    RADIUS policy auth

  16. Click green + in first factor, next to step_up-pol.

    RADIUS policy auth

  17. Create another factor by following step 8.

    Step up LDAP

  18. Click Add Schema and choose the schema.

    Single auth schema

  19. Click Add Policy to choose authentication policy.

    LDAP step up

  20. Click blue + to add another authentication policy for LDAP authentication.

    LDAP another policy

  21. Choose LDAP authentication policy and click Add.

    LDAP adv policy

  22. Click green + next to LDAP_Step_up to add the RADIUS authentication.

    RADIUS auth add

  23. As the RADIUS authentication is already present, select Connect to existing Factor, and select step_up-radius from the list.

    RADIUS auth add

  24. Click Done to save the configuration.

  25. To bind the created nFactor Flow to an authentication, authorization, and auditing virtual server, click Bind to Authentication Server and click Create.

    Bind created auth server

    Note

    Bind and unbind the nFactor flow through the option given in nFactor Flow under Show Bindings only.

Unbind the nFactor Flow

  1. Select the nFactor flow and click Show Bindings.

  2. Select the authentication virtual server and click Unbind.

    Unbind auth server

Result

The following steps help you to access the application Red as first.

  1. Redirecting to authentication, authorization, and auditing virtual server login page with a first factor as LDAP, after you access “red.lab.local”.

    Auth login page

  2. nFactor evaluates that user wants to access application Red and displays second factor RADIUS.

    RADIUS second factor

  3. Citrix ADC grants access to application Red.

    Red application display

  4. Access the application Green as next. Citrix ADC grants immediate access because the session of stronger application Red.

    Green application display

The following steps help you to access the application Green as first.

  1. Redirecting to authentication, authorization, and auditing virtual server login page after you access “green.lab.local”.

    Auth login page

  2. nFactor evaluates application Green and grants access without the second factor.

    Green application display

  3. Access the application Red as next. Higher authentication level requires relogin and nFactor does LDAP relogin automatically with saved credentials from the first login at application Green. You enter only the RADIUS credential.

    RADIUS second factor

  4. Citrix ADC grants access to the application Red.

    Red application display

Configure nFactor for applications with different login site requirements including step-up authentication