Jump to content
Welcome to our new Citrix community!

Disable two factor authentication from certain sourceip

Mattias Karlsson

Recommended Posts

I have a Netscaler gateway with two factor authentication configured.
1 LDAP authentication policy bound as primary
1 RADIUS authentication policy bound as Secondary (RSA token/SMS)
All works well and when browsing to the VIP you see three fields:
Password1 (AD password)
Password2 (RSA PIN or token)
if entering PIN for password2 an SMS is send and a new window is presented in wich you enter the content of the SMS.
Now, the customer has a wireless network and asked me if it was possible to disable two factor authentication when coming from this network.
A good thing is that the vlan for the wireless network sits behind a firewall with NAT so all traffic hitting the VIP from this network has the same source IP.
So I alter the expression for the RAIUS policy to "REQ.HTTP.HEADER User-Agent NOTCONTAINS CitrixReceiver && REQ.IP.SOURCEIP != (NAT iP from firewall)".
I also create a rewrite policy that removes the Password2 field when coming from this source ip.
When trying to log on from this wireless network and entering username and password I only get:
"Contact your system administrator"
"nsconmsg -d current -g pol_hits" shows me that my LDAP policy activates when I log on.
Wierd thing is that "cat aaad.debug" is absolutely silent.
If I remove the "REQ.IP.SOURCEIP != (NAT iP from firewall)" part from the expression and log on with two factor, "cat aaad.debug" shows me how the LDAP and RADIUS policies approves the logon.
Any ideas?


Link to comment
Share on other sites

  • 1 month later...

Hi Carl.


Are you really supposed to be able to do this?

When I try to create a new vServer with the same VIP and port i get "resource already exists".


Tried to first set a listen policy on my existing vserver but I'm still not allowed to create a new one on the same VIP/port.


Maybe I misunderstood you.




Link to comment
Share on other sites

  • 1 year later...
On 10/20/2016 at 3:40 PM, Carl Stalhood1709151912 said:

NetScaler Gateway vsesrver, in the Other Settings section, has a Listen Policy expression. Create two vservers on the same VIP/port, but with different Listen Policies (CLIENT.IP.SRC). One vserver has two-factor, the other does not.

Hi Carl,
I would ask you if you can explain this, a little more.
While how can you Create two vservers on the same VIP/port,?

we have one VPN Virtual Server,
For each user coming from network 221.x.x.x we will use only basic LDAP

For each user coming from network 231.120.x.x we will use Radius with MFA

Thanks for your help


Link to comment
Share on other sites

  • 1 year later...
  • 1 year later...
  • 4 months later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...