Jump to content
Welcome to our new Citrix community!

nFactor and legacy gateway protocoll authentication


Recommended Posts

Hello,

 

we configured our netscaler 12.1 build 51.19 with nfactor authentication. its working great for all web browser and newest receiver.

But citrix sso, citrix workspace on ios not working with nfactor.

 

I found this kb article: https://support.citrix.com/article/CTX223386

But sorry, i dont understand it.

For legacy clients i also need a loginschema? 

 

For a first try i need a simple LDAP authentication. How can i configure this? Does someone know a better documentation ?

Thanks for all help.

Link to comment
Share on other sites

Try the following actions on the AAA vserver.

 

#1 - Login Schema (you can get more specific with the user-agent but test this first)

Create a login schema policy with expression http.REQ.HEADER("User-Agent”).CONTAINS("iOS")
To this policy bind a login schema profile with schema "SingleAuth.XML" 
Bind this policy on top of other login schema policies (lowest priority no so it takes preference)

 

#2 - Auth policy

Create an LDAP auth policy with same expression as above and bind an ldap action

Bind this policy to auth policies on top (with lowest priority no so it takes preference)

  • Like 1
Link to comment
Share on other sites

On 30.4.2019 at 3:32 AM, Siddhartha Sarmah said:

Try the following actions on the AAA vserver.

 

#1 - Login Schema (you can get more specific with the user-agent but test this first)

Create a login schema policy with expression http.REQ.HEADER("User-Agent”).CONTAINS("iOS")
To this policy bind a login schema profile with schema "SingleAuth.XML" 
Bind this policy on top of other login schema policies (lowest priority no so it takes preference)

 

#2 - Auth policy

Create an LDAP auth policy with same expression as above and bind an ldap action

Bind this policy to auth policies on top (with lowest priority no so it takes preference)

 

thanks.. that was tooo simple ;) It works great. I used as policy expression for loginschema and also auth policy the following expression:

 

http.req.header("User-Agent").CONTAINS_ANY("ns_vpn_client_useragents")

 

ok but whats next ? I tried to do dual auth. Username and password from LDAP and passcode from a radius server.

I bound the "DualAuth" loginschema with the expression above to the vserver. 

 

Should i bound the ldap authentication policy to the aaa vServer and as next factor a radius label ?

 

Edit: Its working. Its to simple. I cant understand it...

 

Like written above, i bound the DUalAuth.xml schema to the vserver with the expression above.

As authentication policy i bound the radius auth policy to the aaa vserver with the expression above and as "next factor" to created a polLabel with lschema_INT and bound a ldap policy with expression above to the label.. and now - its working. 

 

Edited by swendri179
fixed
Link to comment
Share on other sites

Hello,

 

ah its not workign perfectly. The first login in workspace app for iOS is great. But if i logoff and logon again, my First pass must be the token and the second pass the password.

 

Strange, if i remove my account from workspace app for ios and readd the account, i can enter as first pass my password and second pass the token as desired.

Bug? Or misconfiguration ? 

Link to comment
Share on other sites

  • 9 months later...
  • 2 months later...
53 minutes ago, Caleb Edwards1709159693 said:

Please let us know if they figure it out!

 

Thanks!

So call was done, they are not quiet sure why, I think maybe this is connected to non working login schemas - it would of course be helpful if more people are opening a case for this. They got now ADC logfiles and will analyze them further ;-)

Link to comment
Share on other sites

On 4/22/2020 at 7:46 AM, Hannes Peter Haumlusler said:

So call was done, they are not quiet sure why, I think maybe this is connected to non working login schemas - it would of course be helpful if more people are opening a case for this. They got now ADC logfiles and will analyze them further ;-)

Any luck as of yet?  I'm about to open a case if not.

Link to comment
Share on other sites

3 minutes ago, Caleb Edwards1709159693 said:

Support found that the iOS device was getting a 403 Forbidden when trying to access /AGServices/discover.  They want a new packet capture after downgrading to 12.1 to compare that to.

Alright - my case was escalated to the ADC gateway team, still analyzing. Can you post your case number? My problem is that we can't downgrade unfortunately. My Case: #79687930

Ps.: I believe its somehow a problem with "login schemas" - but its just my personal opinion, because on the iOS devices you won't get the "SinglAuth" form as before...

Link to comment
Share on other sites

Here's the latest from Citrix Support:

 

Quote

I have been checking further on additional resources and it seems there has been reports of issues between Workspace app 20.4.0 and the newest version of firmware: 13.0 52.24. We might need to involve higher level resources on this case, but please bear with me during the day in order to determine the last.

 

Link to comment
Share on other sites

  • 2 weeks later...
On 4/27/2020 at 2:50 PM, Caleb Edwards1709159693 said:

Case #79691577

 

I created the case with the Gateway team.  Hopefully this gets resolved soon!

The issue have been solved! There is a cookie missing between version 12.1 ADC and version 13 ADC which was set by a rewrite policy only for "iOS" devices.

 

Citrix Quote:

We have tested and confirmed that the below configuration works 

 

add rewrite action pw-count insert_http_header Set-Cookie "\"pwcount=0;Secure;HttpOnly;Path=/;expires=Wednesday, 09-Nov-1999 23:12:40 GMT\""
add rewrite policy pwcount "HTTP.REQ.HOSTNAME.EQ(\"GatewayFQDN\")&&HTTP.REQ.URL.CONTAINS(\"vpn/index.html\")&&HTTP.REQ.HEADER(\"User-Agent\").CONTAINS(\"CitrixReceiver\")&&HTTP.REQ.HEADER(\"User-Agent\").CONTAINS(\"iOS\")" pw-count
bind rewrite global pwcount 100 END -type RES_OVERRIDE

 

GatewayFQDN = your Gateway URL

 

:-)

 

Hope that helps,

Cheers, H

Link to comment
Share on other sites

On 5/12/2020 at 9:25 AM, Hannes Peter Haumlusler said:

The issue have been solved! There is a cookie missing between version 12.1 ADC and version 13 ADC which was set by a rewrite policy only for "iOS" devices.

 

Citrix Quote:

We have tested and confirmed that the below configuration works 

 

add rewrite action pw-count insert_http_header Set-Cookie "\"pwcount=0;Secure;HttpOnly;Path=/;expires=Wednesday, 09-Nov-1999 23:12:40 GMT\""
add rewrite policy pwcount "HTTP.REQ.HOSTNAME.EQ(\"GatewayFQDN\")&&HTTP.REQ.URL.CONTAINS(\"vpn/index.html\")&&HTTP.REQ.HEADER(\"User-Agent\").CONTAINS(\"CitrixReceiver\")&&HTTP.REQ.HEADER(\"User-Agent\").CONTAINS(\"iOS\")" pw-count
bind rewrite global pwcount 100 END -type RES_OVERRIDE

 

GatewayFQDN = your Gateway URL

 

:-)

 

Hope that helps,

Cheers, H

 

Thanks for the update!  Support confirmed the workaround for us as well.  However, I see no reason for us to upgrade at this point.  I'll probably stay on 12.1 until a fix is included in 13.0.

 

Thanks!

Link to comment
Share on other sites

  • 2 months later...

It looks like the Workspace for iOS app has been updated to support nFactor Auth now!  We updated to 12.1_57.18 to patch the vulnerabilities found recently and it seemed to break our workaround just like 13.0.  Checked again this morning and I was able to go through nFactor on iOS.

 

ETA: Workspace for iOS v20.7.0 release notes state "V3 authentication protocol".

Edited by cedward222
Workspace for iOS release notes
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...