Jump to content
Welcome to our new Citrix community!

Citrix Gateway Two-factor authentication using LDAP and User certificate


Recommended Posts

For gateway with classic policies:  

Create a client cert authentication policy. IN the client cert profile, enable Two Factor Authentication:ON and then identify the user format as userPrincipalName or other cert criteria.

Bind the client cert policy to your vpn vserver at a HIGHER priority than your LDAP policy (so client cert: priority 100 and LDAP at priority 200, for example).

Update your LDAP policy if needed to go from SubjectAlternateName to UserPrincipalName if UPN will be used in the client cert format.

Under the vpn vserver's ssl parameters (or configure an SSL Profile isntead), set client certification authentication to MANDATORY (if always required).

 

And ensure Root Cert is also bound to  vpn vserver as a Root Cert so gateway will trust issuer of client certs. In addition, to its own server cert to confirm its identity to clients.

 

To switch to ADVANCED policies, you would have to integrate the gateway with a AAA vserver. Change your ldap and client cert policy to the advanced policy engine (profiles stay the same, except in ways noted above). Bind the CLIENTCERT to the AAA vserver's ADVANCED bind point as priority 100 and the LDAP at priority 200.  Choose one of the built in login schemas for password only (i think) and set as default on the aaa vserver.    Then integrate gateway with AAA authentication.  Be sure BOTH AAA vserver and VPN vserver are both setup to process client cert authentication via SSL Parameters OR SSL Profile and both have the root cert bound.

 

I don't think you will need a policy label/next factor config here, but in case you do, the below examples may help.

 

You can see an example of the client + password requirement as part of this nfactor example.  You will only need part of the config as this is part of a more complicated nfactor/multi-conditional flow, but its well documented here. While your scenario isn't as complex as either of these, it may help you to understand the config to mock up either and then just reduce it down to the simplest scenario you require.

https://support.citrix.com/article/CTX201742 (first article uses some custom schemas, but they are included as downloads in article; you should be able to user builtins without a custom import.)

https://support.citrix.com/article/CTX220793

 

 

 

 

  • Like 1
Link to comment
Share on other sites

 

2 hours ago, Rhonda Rowland1709152125 said:

Create a client cert authentication policy. IN the client cert profile, enable Two Factor Authentication:ON and then identify the user format as userPrincipalName or other cert criteria.

Bind the client cert policy to your vpn vserver at a HIGHER priority than your LDAP policy (so client cert: priority 100 and LDAP at priority 200, for example).

 

Rhonda, I didn't get your 1st solution. you bind both authentication methods 1st? I'd rather bind the certificate based authentication 1st, LDAP 2nd?

 

By the way, you may bind 2 LDAP policies, pointing to the same AD, one using UPN, one using SamAccountName

Link to comment
Share on other sites

With 2FA on in the client cert profile, it requires the "next" policy to be processed as well.

This is how the classic engine simple three factor works:  pol1_clientcert bound primary:10, pol2_ldap bound primary:20, then pol3_radius bound in secondary bank.   (Basically, the only simple 3 factor the classic engine can handle). Same thing works if you just need cert + password.  And we don't need a second credential field generated.

 

The client cert + ldap with 2fa required requires a password to be presented.  Still leaves room to add Radius down the road.

IT's an override to the assumed classic engine behavior.

Link to comment
Share on other sites

NOPE - if you have client cert required, there is no way to log in without the client cert + password.

If you have, client cert optional, then yes its either client cert + ldap OR ldap username/password only.  Again, its kind of a special use case in the classic engine; in class I describe it (with radius in secondary bind point) as limited 3 factor and is the fanciest that classic engine can get.  Just leave off the radius, and you have a required cert + Ldap config.

 

But this is the "standard" config for client cert + ldap validation in the classic engine.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...