Jump to content
Welcome to our new Citrix community!

nfactor setup cert+pin or LDAP+OTP or LDAP+RSA

Kitaab H

Recommended Posts

I have a requirement to setup this:


User opens the gateway website https://gw.domain.com


If the site detects Smartcard -- the website asks for smartcard PIN and user logs in

If smartcard is not detected Netscaler extracts group membership based on 2 groups CTXOTP group or RSATOKEN


If user member of CTXOTP --  Netscaler authenticates with LDAP+OTP  schema

If user member or RSATOKEN  -- Netscaler authenticates with LDAP+RSAToken schema


i found these and want some guidance with setting up my requirements 







Any help please


Link to comment
Share on other sites

This won't cover your exact scenario, but it may help you build pieces of  it for the user prompt and sorting by groups.  

This article is close to your scenario (to sort based on groups) and may be the easiest one for you to try and then adapt to your scenario (for the user group stuff).



Be sure your users are non-overlapping in your groups.

If you build this one first to sort based on groups (before you deal with smartcard), you then revise until you get the authentication policies and schemas you want. 

Then you can add in the smartcard criteria.


Also, a lot easier to troubleshoot if you make sure the individual flows work first before going to nfactor.  Start with  Smartcard+pin and the loginschema only, then verify the username prompt, followed by LDAP+OTP work, then finally the username prompt, followed by LDAP+RAdius.  Then you can work on putting it together.


Remember, for n-factor you need to identify both your authentication policies/conditions AND your interface bits (login schemas to present)



Pseudo-flow example: (Actual loginschemas/flow may need to be adjusted.)

1) smartcard (clientcert), prompt for smartcard + PIN  (schema1_smartcard)

2) ELSE do user prompt (so we can do group extraction)  (schema2_usernameonly)  # this part will be similar to the CTX220793 article

     2.1)  If member of group CTXOPT, do LDAP+OTP  (schema3_ldapotp)  # though username is already entered .... 

     2.2)  If member of group RSAToken, do LDAP+Radius (schema4_ldapradius)  # though username is already entered...



Link to comment
Share on other sites


This topic is now archived and is closed to further replies.

  • Create New...