Polling during authentication
Starting from NetScaler release build 13.0.79.64, a NetScaler appliance can be configured for Polling mechanism during multifactor authentication.
If Polling is configured on a NetScaler appliance, endpoints (like a web browser or an app) can poll (probe) the appliance during authentication at the configured intervals to get the status of the submitted authentication request.
Polling can be configured to handle authentications when an endpoint drops a TCP connection while authenticating with a NetScaler appliance.
Points to note
-
The Polling configuration is supported for LDAP, RADIUS, and TACACS authentication methods.
-
Client can probe authentication requests from second factor onwards.
Why configure Polling?
Sometimes while authenticating, switching between the apps (for example a login app and an authenticator app) causes endpoints to lose connection with the NetScaler appliance leading to a break in the authentication flow. With Polling configured, this break in authentication can be avoided.
Understanding the Polling mechanism
The following is an example for the flow of events during authentication without Polling configured.
The Polling mechanism enables a NetScaler appliance to resume an ongoing authentication with the endpoint without having to restart the authentication process in a rare case of a TCP connection reset at the endpoint.
- An endpoint (App or Web browser) authenticates with credentials.
- The user name and password is verified against an existing first factor directory (LDAP/Active Directory).
- If the correct credentials are supplied, the authentication moves to the next factor.
- At this point, the NetScaler appliance sends request to the RADIUS Push server.
- While the NetScaler appliance waits for a response from the RADIUS server, the endpoint drops TCP connection.
- The NetScaler receives a response from the RADIUS Push server.
- As no client TCP connection is found, the NetScaler appliance drops session and the login fails.
The following is an example for the flow of events during authentication with Polling configured.
- An endpoint (App or Web browser) authenticates with credentials.
- The user name and password is verified against an existing first factor directory (LDAP/Active Directory).
- If the correct credentials are supplied, the authentication moves to the next factor.
- At this point, the NetScaler appliance sends request to the RADIUS Push server.
- While the NetScaler appliance waits for a response from the RADIUS server, the endpoint drops TCP connection.
- Endpoint sends a poll (probe) to the NetScaler appliance to check for the authentication status.
- As the NetScaler appliance does not hear back from the RADIUS server, it requests the endpoint to continue polling.
- The NetScaler appliance receives response from the RADIUS Push server.
- As no client TCP connection is found, ADC saves the session state.
- Endpoint again polls to check for the authentication status.
- NetScaler appliance establishes the session and the login succeeds.
Configure Polling using CLI
The following is a sample CLI configuration.
Configure First factor
add authentication ldapAction ldap-new -serverIP 10.106.40.65 -serverPort 636 -ldapBase "dc=aaatm-test,dc=com" -ldapBindDn administrator@aaatm-test.com -ldapBindDnPassword 2f63d3659103464a4fad0ade65e2ccfd4e8440e36ddff941d29796af03e01139 -encrypted -encryptmethod ENCMTHD_3 -ldapLoginName sAMAccountName -groupAttrName memberof -subAttributeName CN -secType SSL -alternateEmailAttr userParameters
add authentication Policy ldap-new -rule true -action ldap-new
bind authentication vserver avs -policy ldap-new -priority 1 -nextFactor rad_factor
<!--NeedCopy-->
Configure Second factor
add authentication radiusAction rad1 -serverIP 10.102.229.120 -radKey 1b1613760143ce2371961e9a9eb5392c86a4954a62397f29a01b5d12b42ce232 -encrypted -encryptmethod ENCMTHD_3
add authentication Policy rad -rule true -action rad1
<!--NeedCopy-->
Configure Poll.xml login schema
add authentication loginSchema polling_schema -authenticationSchema LoginSchema/Poll.xml
add authentication policylabel rad_factor -loginSchema polling_schema
bind authentication policylabel rad_factor -policyName rad -priority 1 -gotoPriorityExpression NEXT
<!--NeedCopy-->
Configure Polling using GUI
For detailed steps on configuring multifactor authentication using GUI see, Configuring nFactor authentication
Following are the sample high level steps required for configuring NetScaler for Polling from second factor onwards.
- Create a first factor for authentication, for example LDAP.
- Create a second factor for authentication, for example RADIUS.
- Add Poll.xml present in NetScaler (/nsconfig/loginschema/LoginSchema/) as login schema for the second factor.