Björn Schläfli Posted August 28, 2018 Share Posted August 28, 2018 Hi, beginning with Netscaler 12.0 build higher 56.20 some classic expressions and policies are deprecated. In 56.20 I use a basic authentication policy for radius (ns_true) which is bound to the Netscaler gateway virtual server. With newer versions this policy is unbound and I can't bind it because it's deprecated. I've created an advanced authentication radius policy (expression TRUE) but I can't find any option to bind this advanced policy to my virtual Netscaler gateway server (only advanced authentication saml is possible). How am I able to bind an advanced radius authentication policy to a virtual gateway server? Do I need to configure radius otherwise now? Link to comment Share on other sites More sharing options...
Raman Kaushik Posted August 28, 2018 Share Posted August 28, 2018 You will have to use authentication profile/policy for advanced authentication. check the screenshots here: https://www.carlstalhood.com/nfactor-authentication-for-netscaler-gateway-12/#advauthpolicies 1 Link to comment Share on other sites More sharing options...
CarlStalhood Posted August 28, 2018 Share Posted August 28, 2018 Today, you have to bind Advanced Authentication Policies to a AAA vServer, and then link the AAA vServer to the Gateway using an Authentication Profile. This is also called nFactor. But it requires NetScaler ADC Enterprise Edition. I hope Citrix provides a solution for ADC Standard Edition before they get rid of Classic authentication policies. 3 Link to comment Share on other sites More sharing options...
Björn Schläfli Posted August 28, 2018 Author Share Posted August 28, 2018 Thank you both. Thank you Carl for your great work with your posts. I hope that too. Link to comment Share on other sites More sharing options...
Björn Schläfli Posted August 28, 2018 Author Share Posted August 28, 2018 That's way more complicated than before. I get 'cannot complete your request' now if I try to access the remote access page. Link to comment Share on other sites More sharing options...
CarlStalhood Posted August 28, 2018 Share Posted August 28, 2018 Are you doing multi-factor authentication? If so, then you might need to store the user's AD password in an HTTP/AAA attribute number and then configure a Traffic Policy to submit the password to StoreFront. My nFactor article details this. Also, check StoreFront Server > Event Viewer > Applications and Services > Citrix Delivery Services for errors. Link to comment Share on other sites More sharing options...
Björn Schläfli Posted August 28, 2018 Author Share Posted August 28, 2018 I have a login page with a drop down (created with Portal Theme and rewrite policy & action), because we wanted a single url where user's could choose the needed environment in drop down and therefore be redirected to the correspondent XenApp site. It's working with build 56.20 and basic auth policy. Link to comment Share on other sites More sharing options...
Raman Kaushik Posted August 28, 2018 Share Posted August 28, 2018 Few things to add: -Check the credential index is set to primary for Web profiles and secondary for receiver profiles. -Make sure you have userPrincipalName in the LDAP action's SSO attribute -Session profile's domain field should be left blank. Link to comment Share on other sites More sharing options...
Martyn Dews1709159794 Posted September 26, 2018 Share Posted September 26, 2018 Just spent a couple of hours trying to see how I can bind an advanced policy to a vServer after creating a basic one and seeing the deprecated note so I thought I would create the advanced as suggested. No matter what I did and where I looked I could not find how to bind it. Then I came across this. Seems it's not possible with a Standard License as the advanced policy section is not available. So why deprecate a feature in one license version only to replace with a feature that is only available in a higher license level? An oversight or a shifty way to get folk to upgrade :-) Back to basic policies for now then. Link to comment Share on other sites More sharing options...
Kyle Peterson Posted January 30, 2019 Share Posted January 30, 2019 Same here.. I also just did a fresh install of the netscaler gateway and correct unless we upgrade our license there is no way to get around using the deprecated classical expressions. Has citrix said anything about this issue? Link to comment Share on other sites More sharing options...
Joe Roberts Posted April 3, 2020 Share Posted April 3, 2020 Quick update for 2020. Oddly, even with our newly acquired Premium VPX license you still can't create, much less bind an advanced authentication policy directly to gateway virtual server on ADC 13.0. There's no option for advanced. It will only accept classic policies. As best I can tell the only way to use advanced policies is still to use nFactor, which is only supported on Advanced and Premium licenses. Entering a classical authentication policy now results in explicitly telling me the will be removed in the next release. "Classic authentication policies are deprecated and will be removed in release 13.1. Please use advanced authentication policies (i.e. add/set authentication policy)" Obviously this is concerning. I had a ticket open with Citrix for a few days, and after a gotomeeting session and reviewing what I was seeing, I was ultimately told not to worry about it. "The warning you were seeing was just a mere warning. It will not impact your policy if you upgrade the version." Hopefully that continues to be the case. I was able to create advanced session polices this time around, it's just the authentication policies that are a problem. My hope and current assumption is that the message only applies to other areas (like session policies), does not apply to authentication polices, and the devs just opted to (intentionally or not) put the same warning on all instances of classic policy creation, even if it does not apply to that specific policy group. I just wish I could find this clearly documented somewhere. It looks like they typically release new versions between April and June, so I may just wait until 13.1 comes out before finalizing this config and putting this new server into production. That way in case something changes, we're not unpleasantly surprised. 1 Link to comment Share on other sites More sharing options...
Lutz Schumann Posted May 15, 2020 Share Posted May 15, 2020 Are there any news / official statement in the meantime ? A collegue of mine run into the same issue and there are currently another planned installations with gateway and external mfa in the pipeine, where no adc licenses are in consideration. Link to comment Share on other sites More sharing options...
Andrej Cesanek1709161680 Posted June 29, 2020 Share Posted June 29, 2020 I'm joining here to ask the Citrix what about advanced authentication policy for Standard ADC editions? A lot of enterprise customers have Standard ADCs which we've implemented, what is official statement in that matter? Link to comment Share on other sites More sharing options...
Felipe Albuquerque1709153149 Posted February 3, 2021 Share Posted February 3, 2021 Any news regarding this situation for Standard ADC? Link to comment Share on other sites More sharing options...
Frédéric LOUKA Posted February 6, 2021 Share Posted February 6, 2021 On 4/3/2020 at 6:55 PM, Joe Roberts said: Quick update for 2020. Oddly, even with our newly acquired Premium VPX license you still can't create, much less bind an advanced authentication policy directly to gateway virtual server on ADC 13.0. There's no option for advanced. It will only accept classic policies. As best I can tell the only way to use advanced policies is still to use nFactor, which is only supported on Advanced and Premium licenses. Entering a classical authentication policy now results in explicitly telling me the will be removed in the next release. "Classic authentication policies are deprecated and will be removed in release 13.1. Please use advanced authentication policies (i.e. add/set authentication policy)" Obviously this is concerning. I had a ticket open with Citrix for a few days, and after a gotomeeting session and reviewing what I was seeing, I was ultimately told not to worry about it. "The warning you were seeing was just a mere warning. It will not impact your policy if you upgrade the version." Hopefully that continues to be the case. I was able to create advanced session polices this time around, it's just the authentication policies that are a problem. My hope and current assumption is that the message only applies to other areas (like session policies), does not apply to authentication polices, and the devs just opted to (intentionally or not) put the same warning on all instances of classic policy creation, even if it does not apply to that specific policy group. I just wish I could find this clearly documented somewhere. It looks like they typically release new versions between April and June, so I may just wait until 13.1 comes out before finalizing this config and putting this new server into production. That way in case something changes, we're not unpleasantly surprised. Hello, Thank you for the explanations you gave us, it helped me a lot ! Fred Link to comment Share on other sites More sharing options...
Martin Latteier1709152446 Posted August 30, 2021 Share Posted August 30, 2021 On 2/3/2021 at 1:36 PM, Felipe Albuquerque1709153149 said: Any news regarding this situation for Standard ADC? Yes. Starting from release 13.0 build 67.x, nFactor authentication is supported with Standard license only for Gateway/VPN virtual server. For more information about nFactor authentication with Citrix Gateway, see nFactor for Gateway Authentication. https://docs.citrix.com/en-us/citrix-gateway/current-release/authentication-authorization/nfactor-for-gateway-authentication.html#create-a-gateway-virtual-server-for-nfactor-authentication-in-citrix-adc-standard-license Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now