Jump to content
Welcome to our new Citrix community!

AlwaysOn (LDAP+CERT via TPM) with 2FA (LDAP+RSA) fallback for 2 user domain

Recommended Posts

Hi guys

I am lost. The more I look at my config, the more lost I get =) We are running the latest 11.1

At the moment I am just prepping the design, not troubleshooting actual behavior.


Here is what we have:

- 2 different domains

- 2 different DHCP subnets (1 for each domain)

- 1 RSA server VS for both domain users

- 2 different VPN host names (1 for each domain). I feel that it can be done with just one, but dont know how to

- not all clients have Netscaler agent installed (different OSes), so some access via the agent and some via the browser


What we want is:

1. If client passes preauthentication checks, they just get connected to the VPN

2. If preauth checks fail, clients are redirected to the page where they enter their RSA token


Issue that I have with all this mess is that I am lost in so many variations. I am creating 4 parallel setups - 1 for Domain1 AlwaysOn, 1 for Domain1 authentication with RSA, 1 for Domain2 AlwaysOn, 1 for Domain2 authentication with RSA.


Can someone please help simplify this setup? Is it possible just have one URL that clients from any of the 2 domains can access and depending which domain they belong to and if preauthentication is successful they either allowed through, or presented with RSA authentication prompt?


Thank you.




Link to comment
Share on other sites

5 hours ago, Carl Stalhood1709151912 said:

Have you tried nFactor? nFactor has EPA Action. If the EPA Action fails, then it can fall back to a RADIUS action. I think you need NetScaler 12 for EPA in nFactor.

Yeah, I think NS 12 was needed.

Any other ways you can suggest to simplify it? We use aaa groups, but I am just confused how it all hangs together.

Another major concern is the impact to our existing Citrix Gateway that runs on the same appliance.

I have cleaned up a separate setup for 2FA for other clients and will just add RSA as a secondary check for testing.

So my plan goes like this, can you please comment:

1. Create aaa groups for VPN allowed AD groups from each of the 2 domains + a VPN restricted that denies access

Question 1: We also run Citrix Gateway for XA/XD access on the same appliance. Are aaa groups global? Will my checks impact the clients in the existing gateway setup?

Like if my AD groups for VPN access defined in aaa groups are different to the Citrix Gateway AD groups, will CAG users will be blocked? Or I need to add another aaa group for CAG users as well, if different?

2. Create aaa pre auth checks (policy/actions)

    a. we check for TPM presence + OS version + domain suffix check for AlwaysON

    b. we check for domain suffix only to be used later for 2FA (with RSA) authentication

Question 2: Do preauth checks only apply if you have Netscaler agent installed? What happens if users access the URL from the browser without the agent/NS plugin?

Question 3: Will preauth check fail if no NS agent/plugin installed? If it does, can I setup a redirect to another website? How can this be done?

Question 4: If client has Citrix plugin. will preauth work? 

Note: What I am trying to achieve here is to check if user has TPM and running WIN10 as well as a member of allowed domains. If preauth checks fail, I want user to be redirected to the Citrix Access Gateway, which is already setup on a different URL

3. Create alwaysONprofile

4. Create session profiles that use AlwaysOnprofile

    a. Session profile for domain1 

    b. Session profile for domain2 

5. Create session policies that use the above profiles

    a. Session profile for domain1 

    b. Session profile for domain2 

6. Create LDAP auth policies and actions for domain1 and domain2 with a group membership check

7. Create VPN vservers for each domain

8. Bind SSL certs to each with CA check

9. Assign intranet IP addresses to each vserver

10. Create/bind portal themes for each domain/vserver

11. Bind preauthentication, authentication (LDAP and RSA as secondary) and session policies

Question 5: Now, I do not know if I need to create/bind intranetApplication to the above vpn vservers. What is the purpose of it? Is that if split tunneling is used?

My vpn sessionAction is configured as "-splitTunnel OFF". How would this command behave in this situation?

add vpn intranetApplication Intra_app_pol_vpnstaff ANY -netmask -destPort 1-65535 -interception TRANSPARENT

bind vpn vserver vs_sg_vpnstaff -intranetApplication Intra_app_pol_vpnstaff



Link to comment
Share on other sites

AAA Groups are global. But you can configure a Gateway vServer to override AAA by binding policies with lower priority number than the policies bound to the AAA groups.


Preauth requires the EPA plugin. If not installed, then preauth will fail and users can't login. You can instead configure postauth EPA in Session Policy or AAA nFactor.


EPA plugin is downloaded by the user from the Gateway logon page.


I don't think redirect will work with EPA. In that case, you would need a Responder policy with an EPA expression and I don't think that's supported. But you can use EPA expressions in Session Policies that enable VPN instead of ICA Proxy.


Intranet Applications are only needed for Split Tunnel.

Link to comment
Share on other sites


Sorry. Did not understand about the aaa options.

If I have this aaa related, will it have any effect on the existing CAG setup?


add aaa group "domain1\\Allow-Access-VPN"
add aaa group "domain2\\Allow-Access-VPN"
add aaa group VPN_Restricted
add authorization policy authoriz_pol_vpn_allow "REQ.IP.DESTIP == -netmask" ALLOW
add authorization policy authoriz_pol_vpn_deny "REQ.IP.DESTIP == -netmask" DENY


bind aaa group "domain1\\Allow-Access-VPN" -policy authoriz_pol_vpn_allow -priority 10
bind aaa group "domain2\\Allow-Access-VPN" -policy authoriz_pol_vpn_allow -priority 10

bind aaa group VPN_Restricted -policy authoriz_pol_vpn_deny -priority 1


On the CAG vServer I only have LDAP/RSA basic policies plus session, cache and rewrite policies.


Link to comment
Share on other sites

  • 4 months later...

Our security did not approve the solution and still require another factor.

I was thinking of limiting external connection MAC addresses, so that users only allowed to login only if coming from their tethered mobiles or 4g cards.

Is it possible to create authorization policy that only allows specific MACs but the MAC match is looked up from the AD attribute based on client's username (from windows session)?

Will 12.1 and nFactor allow me to do that?

Ultimately we want the following scenarios on the same Netscaler:

- Citrix access gateway for XenDesktop traffic

- VPN scenario 1: EPA check + MAC check via AD attribute matching + LDAP authorization = AlwaysOn VPN initiated without user interaction 

- VPN scenario 2: EPA check + MAC check via AD attribute matching FAILS = user is redirected to another gateway virtual server for authenticating with RSA token

Is it possible to achieve?

Link to comment
Share on other sites

This topic is now closed to further replies.
  • Create New...