Clovis Brullemans1709161016 Posted June 3, 2019 Posted June 3, 2019 Hi everyone, We want to implement multiples EPA policies when end-users are logging in to our external Gateway/AAA vServer. We have to achieve multiples EPA scan based if required conditions are met or not. Based on which EPA is successful, end-users are prompted with specific authentication/login scheme. See the diagram. We are building the service but it's not working. Overall, if we have a success (i.e. Compliant anti-virus), LDAP policy + login schema is hit. If we have a failure, all the EPA are skipped and the Quarantine group and last policy are hit. We tried several configurations to make it work but we always end-up with the same behavior. My first question: Is this configuration (multiples EPA and success groups) is supported on the Netscaler? Second question: If it's supported, how should be configured? Thank you for your help.
Siddhartha Sarmah Posted June 9, 2019 Posted June 9, 2019 Have you tried Binding each EPA policy with appropriate next factor directly to AAA vserver with gotopriorityExpression next. ? All EPA policy actions should have the defaultgroup set and the groups should be bound with appropriate session policies. The last EPA policy action should have the quarantine-group also set,
Clovis Brullemans1709161016 Posted July 24, 2019 Author Posted July 24, 2019 Hi Siddharthas, Found a working solution with Citrix support. Binding all EPA policies at the "start of AAA process" works (in our case). This means EPA policies (3 in our cases) are bound at AAA vserver and each EPA is bound with a nfactor policy label holding the authentication policies and login schema (corresponding a connection scenario - 1 factor, 2 factor, etc.). The policy label is processed if the end-user is in EPA success group. If the end-user is not, the logic go the next EPA factor. If the end-user fail all EPA policies, the end-user end up in the quarantine group of the last EPA policy.
Recommended Posts
Archived
This topic is now archived and is closed to further replies.