Jump to content
Welcome to our new Citrix community!

Multiples EPA policies in nFactor


Recommended Posts

Hi everyone,

 

We want to implement multiples EPA policies when end-users are logging in to our external Gateway/AAA vServer.  We have to achieve multiples EPA scan based if required conditions are met or not.  Based on which EPA is successful, end-users are prompted with specific authentication/login scheme.

 

See the diagram.

 

5cf5133c09c85_EPAandnFactor.thumb.jpg.8280ade3aa466303c73d8fb993d02ed4.jpg

 

We are building the service but it's not working.  Overall, if we have a success (i.e. Compliant anti-virus), LDAP policy + login schema is hit.  If we have a failure, all the EPA are skipped and the Quarantine group and last policy are hit.

 

We tried several configurations to make it work but we always end-up with the same behavior.

 

My first question: Is this configuration (multiples EPA and success groups) is supported on the Netscaler?

Second question:  If it's supported, how should be configured?

 

Thank you for your help.

Link to comment
Share on other sites

Have you tried Binding each EPA policy with appropriate next factor directly to AAA vserver with gotopriorityExpression next.  ?

 

All EPA policy actions should have the defaultgroup set and the groups should be bound with appropriate session policies. The last EPA policy action should have the quarantine-group also set, 

 

Link to comment
Share on other sites

  • 1 month later...

Hi Siddharthas,

 

Found a working solution with Citrix support.

 

Binding all EPA policies at the "start of AAA process"  works (in our case).  This means EPA policies (3 in our cases) are bound at AAA vserver and each EPA is bound with a nfactor policy label holding the authentication policies and login schema (corresponding a connection scenario - 1 factor, 2 factor, etc.).  The policy label is processed if the end-user is in EPA success group.  If the end-user is not, the logic go the next EPA factor.  If the end-user fail all EPA policies, the end-user end up in the quarantine group of the last EPA policy.

  • Like 1
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...