Jump to content
Welcome to our new Citrix community!

Help with Netscaler Policies


Baumgartner AG

Recommended Posts

Hi folks

 

Maybe someone can give me a quick hint here for how to set this up like I want it. I will try to explain as detailed as possible.

 

We have a running Netscaler Gateway (VM) Version 13.0. It runs fine since years, and after first integration, I didn't do much changes on it, so my knowledge about the gateway is very basic. 

 

Right now we have the following settings configured:

Virtual Server with bound LDAP policy and a search filter, which points to one specific group in AD.  All users in this group are able to login via netscaler with username and password.

Now we want to integrate a Radius server (Watchguard authpoint), but only for a few of the users.

 

I want to keep the present login method within this policy, and want to ad an additional policy for another AD group, which should also enter a token to login. The Radius Server is already integrated to the netscaler, but not set in any policy.

 

Here's how it should look like:

 

If user is in AD group "aptokendisabled" -> then user has to login with only username and passwort

If user is in AD group "aptokenenabled" -> then user has to login with username, password and also with token from the radius server

 

Do I have to set up a second virtual Server in Netscaler? Or is it possible to have different authentication methods in one server?

 

 

Thanks for any recommendation.

 

Regards, Cedy

Link to comment
Share on other sites

If you switch to the advanced policy engine and nfactor authentication, you can do different authentication flows based on group membership. If you want to continue using the classic policies (which is not advised), you would need separate vservers to get the job done.

 

This article covers a basic scenario for GroupA does single factor and GroupB does two-factor.

https://support.citrix.com/article/CTX220793

 

Try to build the article scenario first and then you can adapt it to yours is probably the easiest way to figure out Nfactor.  

It uses the initial policy to take the username and do a group extraction without authentication requirement, then based on your group presents you witha  password only or password/token login.

 

This should be what you are trying to do above.

 

Link to comment
Share on other sites

34 minutes ago, Rhonda Rowland1709152125 said:

If you switch to the advanced policy engine and nfactor authentication, you can do different authentication flows based on group membership. If you want to continue using the classic policies (which is not advised), you would need separate vservers to get the job done.

 

This article covers a basic scenario for GroupA does single factor and GroupB does two-factor.

https://support.citrix.com/article/CTX220793

 

Try to build the article scenario first and then you can adapt it to yours is probably the easiest way to figure out Nfactor.  

It uses the initial policy to take the username and do a group extraction without authentication requirement, then based on your group presents you witha  password only or password/token login.

 

This should be what you are trying to do above.

 

 

Thanks for this advice, this article looks exactly like what I need. 

 

The problem is that after reading through this, I don't really know alot more than before. I don't know how to set this up with my basic netscaler knowledge, is there a possibility with GUI?

 

 

Link to comment
Share on other sites

This is all done in gui, but you have to know a few extra things.

If you have a test netscaler, might want to dump into the cli and then investigate the gui.

 

You will need to look at some nfactor policy creation examples to get you started.

 

1) You will integrates the vpn vserver with a authentication vserver which is under the Security node.

2) The needs you to construct adv authentication pnolicies that do the LDAP and the ldap/radius you are looking for with your group criteria in the policy expression.

3) The part you wouldn't have really seen before is create the advanced authenticaiton policy labels which represent your different authentication flows. Each label, gets assigned a login schema which is the GUI interface to present to the user.  You are using default schema elements that already exist so won't need to customize.  You won't need those xml files in this example as you can refer to the default schemas.

4) You then bind the policies to the policy label and then indicate the next factor (which is next policy label) to invoke.

 

Here are some examples working with nfactor authentication in the GUI, but it might be easiest to build the the cli for this example on a test vpx netscaler. And then look at how all the parts fit together.

https://www.carlstalhood.com/nfactor-authentication-for-netscaler-gateway-12/#overview  

https://docs.citrix.com/en-us/citrix-adc/13/aaa-tm/how-to-articles/configure-two-passwords-group-extraction.html - this one has some gui screenshots as well

This one also has some GUI screenshots:  https://support.citrix.com/article/CTX201742

 

Hopefully, these help in the short term.

Link to comment
Share on other sites

The gateway only licenses possibly don't have access to the AAA feature.  You would need a NetScaler Ent/Plat (old terms) / Citrix ADC ADv/Prem to get AAA capabilities.

As I don't think Standard includes it either.

 

See the feature matrix:  https://www.citrix.com/content/dam/citrix/en_us/documents/data-sheet/citrix-adc-data-sheet.pdf

(found in the mdx platform data sheet on this page):  https://www.citrix.com/products/citrix-adc/citrix-adc-data-sheet.html

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...