Bind Advanced Authentication Policy to NetScaler Gateway Virtual Servers

[Björn Schläfli]

Hi,

 

beginning with Netscaler 12.0 build higher 56.20 some classic expressions and policies are deprecated. In 56.20 I use a basic authentication policy for radius (ns_true) which is bound to the Netscaler gateway virtual server. With newer versions this policy is unbound and I can't bind it because it's deprecated. I've created an advanced authentication radius policy (expression TRUE) but I can't find any option to bind this advanced policy to my virtual Netscaler gateway server (only advanced authentication saml is possible).

How am I able to bind an advanced radius authentication policy to a virtual gateway server?

Do I need to configure radius otherwise now?

[Raman Kaushik]

You will have to use authentication profile/policy for advanced authentication.

 

check the screenshots here: https://www.carlstalhood.com/nfactor-authentication-for-netscaler-gateway-12/#advauthpolicies

[CarlStalhood]

Today, you have to bind Advanced Authentication Policies to a AAA vServer, and then link the AAA vServer to the Gateway using an Authentication Profile. This is also called nFactor. But it requires NetScaler ADC Enterprise Edition.

 

I hope Citrix provides a solution for ADC Standard Edition before they get rid of Classic authentication policies.

[Björn Schläfli]

Thank you both.

 

Thank you Carl for your great work with your posts. 

 

I hope that too.

[Björn Schläfli]

That's way more complicated than before. I get 'cannot complete your request' now if I try to access the remote access page.

[CarlStalhood]

Are you doing multi-factor authentication? If so, then you might need to store the user's AD password in an HTTP/AAA attribute number and then configure a Traffic Policy to submit the password to StoreFront. My nFactor article details this.

 

Also, check StoreFront Server > Event Viewer > Applications and Services > Citrix Delivery Services for errors.

[Björn Schläfli]

I have a login page with a drop down (created with Portal Theme and rewrite policy & action), because we wanted a single url where user's could choose the needed environment in drop down and therefore be redirected to the correspondent XenApp site.  It's working with build 56.20 and basic auth policy. 

[Raman Kaushik]

Few things to add:

 

-Check the credential index is set to primary for Web profiles and secondary for receiver profiles.

-Make sure you have userPrincipalName in the LDAP action's SSO attribute

-Session profile's domain field should be left blank.

[Martyn Dews1709159794]

Just spent a couple of hours trying to see how I can bind an advanced policy to a vServer after creating a basic one and seeing the deprecated note so I thought I would create the advanced as suggested. No matter what I did and where I looked I could not find how to bind it.

Then I came across this. Seems it's not possible with a Standard License as the advanced policy section is not available. So why deprecate a feature in one license version only to replace with a feature that is only available in a higher license level? An oversight or a shifty way to get folk to upgrade :-)

 

Back to basic policies for now then.

[Kyle Peterson]

Same here.. I also just did a fresh install of the netscaler gateway and correct unless we upgrade our license there is no way to get around using the deprecated classical expressions.

 

Has citrix said anything about this issue?

 

[Joe Roberts]

Quick update for 2020. Oddly, even with our newly acquired Premium VPX license you still can't create, much less bind an advanced authentication policy directly to gateway virtual server on ADC 13.0. There's no option for advanced. It will only accept classic policies. As best I can tell the only way to use advanced policies is still to use nFactor, which is only supported on Advanced and Premium licenses. Entering a classical authentication policy now results in explicitly telling me the will be removed in the next release. "Classic authentication policies are deprecated and will be removed in release 13.1. Please use advanced authentication policies (i.e. add/set authentication policy)" Obviously this is concerning.

 

I had a ticket open with Citrix for a few days, and after a gotomeeting session and reviewing what I was seeing, I was ultimately told not to worry about it. "The warning you were seeing was just a mere warning. It will  not impact your policy if you upgrade the version." Hopefully that continues to be the case.

 

I was able to create advanced session polices this time around, it's just the authentication policies that are a problem. My hope and current assumption is that the message only applies to other areas (like session policies), does not apply to authentication polices, and the devs just opted to (intentionally or not) put the same warning on all instances of classic policy creation, even if it does not apply to that specific policy group. I just wish I could find this clearly documented somewhere.

 

It looks like they typically release new versions between April and June, so I may just wait until 13.1 comes out before finalizing this config and putting this new server into production. That way in case something changes, we're not unpleasantly surprised.

[Lutz Schumann]

Are there any news / official statement in the meantime ?

A collegue of mine run into the same issue and there are currently another planned installations with gateway and external mfa in the pipeine, where no adc licenses are in consideration.

[Andrej Cesanek1709161680]

I'm joining here to ask the Citrix what about advanced authentication policy for Standard ADC editions?

A lot of enterprise customers have Standard ADCs which we've implemented, what is official statement in that matter?

 

[Felipe Albuquerque1709153149]

Any news regarding this situation for Standard ADC?

[Frédéric LOUKA]

On 4/3/2020 at 6:55 PM, Joe Roberts said:

Quick update for 2020. Oddly, even with our newly acquired Premium VPX license you still can't create, much less bind an advanced authentication policy directly to gateway virtual server on ADC 13.0. There's no option for advanced. It will only accept classic policies. As best I can tell the only way to use advanced policies is still to use nFactor, which is only supported on Advanced and Premium licenses. Entering a classical authentication policy now results in explicitly telling me the will be removed in the next release. "Classic authentication policies are deprecated and will be removed in release 13.1. Please use advanced authentication policies (i.e. add/set authentication policy)" Obviously this is concerning.

 

I had a ticket open with Citrix for a few days, and after a gotomeeting session and reviewing what I was seeing, I was ultimately told not to worry about it. "The warning you were seeing was just a mere warning. It will  not impact your policy if you upgrade the version." Hopefully that continues to be the case.

 

I was able to create advanced session polices this time around, it's just the authentication policies that are a problem. My hope and current assumption is that the message only applies to other areas (like session policies), does not apply to authentication polices, and the devs just opted to (intentionally or not) put the same warning on all instances of classic policy creation, even if it does not apply to that specific policy group. I just wish I could find this clearly documented somewhere.

 

It looks like they typically release new versions between April and June, so I may just wait until 13.1 comes out before finalizing this config and putting this new server into production. That way in case something changes, we're not unpleasantly surprised.

 

Hello, 

Thank you for the explanations you gave us, it helped me a lot ! 

Fred

[Martin Latteier1709152446]

On 2/3/2021 at 1:36 PM, Felipe Albuquerque1709153149 said:

Any news regarding this situation for Standard ADC?

Yes.

 

Starting from release 13.0 build 67.x, nFactor authentication is supported with Standard license only for Gateway/VPN virtual server. For more information about nFactor authentication with Citrix Gateway, see nFactor for Gateway Authentication.

 

https://docs.citrix.com/en-us/citrix-gateway/current-release/authentication-authorization/nfactor-for-gateway-authentication.html#create-a-gateway-virtual-server-for-nfactor-authentication-in-citrix-adc-standard-license