Authentication Profile - Authentication level

[Brian Korrow]

Setup:

I have a unified gateway that has two basic authentication policies: LDAP + Radius for two factor. 

 

I also have a AAA that has only the ldap policy. 

 

I have two authentication profiles for the gateway and AAA, with authentication levels of 2 and 1 respectively. 

 

Issue:

On an traffic managed LB for an internal application I have the authentication set to the Unified gateway’s authentication profile for multi factor authentication.  SSO between the full Unified gateway Cvpn and this lb work perfectly. However, this application has embedded links that point to lb vips that are attached to the AAA authentication profile. 

 

I would think because you authenticated to the higher level unified gateway you should SSO to the lower level application without being prompted for AAA auth, however that is not the case. I have to reauthenticate to the AAA for any embedded links. 

 

I tried setting the authentication levels to equal, setting the authentication domain to the same domain, and put the unified gateway behind a AAA for authentication. Nothing seems to work. I know I am overlooking something. Anybody encounter this before?

[Rasmus Kindberg]

I don't think you can share SSO between Authentication vServers and VPN vServers (AAA to AAA and VPN to VPN however are fine). A workaround for you would be to recreate the Authentication vServer as a VPN vServer instead (I can't think of any technical drawbacks to it) and ensure the "Authentication domain" in both authnprofile's you use is the same.

 

You can try above by temporarily creating a new VPN vServer and see if it shares SSO with your Unified Gateway VPN vServer.

[Brian Korrow]

Looks like there is a bug in Citrix Gateway 12.1.51x.  Will post back the fixed version.