Jump to content
Welcome to our new Citrix community!

Rewrite rule for Radius AVP request

Recommended Posts



I would really need some advice. I'm configuring the Netscaler VPX 11.1 build 55.13 (not the latest one, but not so old one). The request is to configure 2 factor authentication for Netscaler Gateway (ICA proxy), while first factor is LDAP and second factor Radius, based on Azure MFA. All is quite simple, and working fine, till the point, when customer request changed a bit and I had to configure the Netscaler that it takes email address from NS gateway logon portal username field and password. Then sends verification request to MFA (for 2nd factor) but email address should change to UPN instead - in Radius AVP request.


What I did and how I tried to achieve that is following:

- created LDAP authentication server and policy - all good - where I defined Attribute 1 as "userPrincipalName" - which I would like to send to Radius as user name

- created Radius server/policy, as secondary authentication, which points to LB VIP configured on Netscaler (that LB VIP is NS load balancer of Radius service - 2x MFA servers behind it)


And now the problem occurs, when I can't achieve to change the Radius request so the email address (as input from user on NS gateway logon portal) is replaced by UPN (taken from AD as LDAP attribute 1) in Radius request sends from NS to Radius. I tried to achieve that using Rewrite policy, which works fine, for some cases, when I tested, but does not work for email by UPN replacement.

That rewrite policy I applied on LB virtual server for Radius service.


I expected that something like that rewrite policy could do the job, but Netscaler returns error (invalid expression):

add rewrite action rwact_test_upn replace radius.req.user_name "radius.new_avp(1, HTTP.REQ.USER.ATTRIBUTE(1))"


That one below I could apply, not further expression error, but then on Radius side I did not see UPN in AVP request. I see there literally that string: "HTTP.REQ.USER.ATTRIBUTE(1)" of course 

add rewrite action rwact_test_upn replace radius.req.user_name "radius.new_avp(1, "HTTP.REQ.USER.ATTRIBUTE(1)")"


So the question is if you would know to advice how to change email address, which is written by the user in Netscaler portal, into UPN, which will be send to Radius for 2nd authentication (it does not need to be attirbute neither rewrite) ?



Link to comment
Share on other sites

We can achieve this with nfactor by binding no-auth policy.

Can you give us the exact format of UPN and Email address?

A packet capture snip will help us better

Something like this to convert test@abc.com to abc.com\test

>add loginschema second_factor_schema –authenticationSchema noschema –userexpression q{http.req.user.name.after_str("@") + "\\" + http.req.user.name.before_str("@")}




Link to comment
Share on other sites

Thanks for that reply, however I found that article you described and this is not really what I need. Even seemed to be helpful, but could not apply it. Either we are using Standard license, and scheme could be applied for at least Enterprise (if I'm not mistaken)


However, to provide you answer on:

"Can you give us the exact format of UPN and Email address? Something like this to convert test@abc.com to abc.com\test"



it is like the user uses his email address like test@abc.com to logon to Netscaler Gateway (ICA proxy) portal. Then the Netcaler authenticates him towards Active Directory and prompts for UPN, which is like test.user@domain.local (so totally different from email address). That UPN is configured as Attribute(1) in LDAP server on Netscaler. So the UPN is stored as Attribute(1) on Netscaler.

Then the Netscaler cascades the authentication and starts for 2nd authentication. Normally the Netscaler would send to Radius email address as it was entered from the user on logon page. But I need to send to Radius  that UPN (test.user@domain.local), stored in Attribute(1) which I got from LDAP query before.

Hopefully, cleared it a bit.


thanks for all advises.

Link to comment
Share on other sites

  • 3 years later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...