Jump to content
Welcome to our new Citrix community!

nFactor Authentication Flow - No active policy during authentication

Recommended Posts

Hello All, 


I would like to say that I am fairly new to netscaler and still have a lot to learn.  I am hoping someone can point me in the right direction with a problem I am experiencing with nFactor authentication.  


NS Release 12.1

Citrix Gateway Virtual Server - Running and operational.  I can successfully authentication with the "Basic" legacy authentication using LDAP and/or Radius


When I remove the basic authentication and apply my test Authentication profile I am unable to authenticate.  I have configured the profile to prompt for username only first, extract group membership and based on group membership either authenticate with LDAP or RADIUS.  Unfortunately after entering the username only on the first page I am not prompted for any further user/passwords.


The problem is after entering the username I receive the message "No active policy during authentication".


Viewing aaad.debug shows the ldap bind and group extractions.


If I view the policy label following group extraction I can see the number of "Hits" increase.  




I may be missing a piece of the jigsaw  but hoping someone can point me in the right direction!.


Thank you.

Link to comment
Share on other sites

You need to show the policies on the AAA vserver itself which gets you to the policy label, next factor.  And the gateway needs to be properly integrated with AAA.

If you remove the basic authentication policies from the vpn (classic engine), you then have to integrate with AAA authentication vserver, and have it configured with necessary authentication settings. 


The authentication profile should get you to the authentication vserver.  It sounds like you have the policy label, but the authentication vserver doesn't have the initial policy login schema or first policy set up to begin nfactor, which then sends you to a policy label.  Think of the authentication policy labels as your ability to create your own SECONDARY, TERTIARY, policy bind points. But a top-level policy on the vserver has to "start" and then send you to the next factor for that AND condition.


So, we would need to see more of your config.

show ns runningconfig | grep <vpn vserver> -i

show ns runningconfig | grep <authentication vserver> -i


Here's an example of a scenario, that might show you all the dependencies to get what you want. Though it is more than what you are trying to accomplish:



Link to comment
Share on other sites

Thanks, I have located the issue.  As you say it was the login schema causing the problem.


The nFactor auth flows now work as expected expect for Active Directory group memberships.  I have found that I need to create AAA Users and AAA Groups locally on the netscaler.  The users are set to external so I do authentication with LDAP.  However I was expecting the LDAP group extraction to occur, then based on the LDAP (Active Directory) group membership at that time the respective Policy Label would take effect as the Next Factor.  However I have to make group changes with the local NetScaler AAA Groups, any changes in the Active Directory groups seem to be ignored.


I'm sure the group extractions are occurring as aaad.debug shows the users and groups when logging in, but I think the "source" of authentication seems to be set locally on the NetScaler somewhere.


At the moment I can add users and groups to AAA Users/Groups and manage group membership on NetScaler but I was looking to manage the group membership in Active Directory.  Is this possible?


I can reproduce my users and groups in AAA Users/Groups but that means we have to make the same changes in AD & NetScaler to make it work.


After some investigation I thought the issue could be the Citrix Gateway\Global Settings\Change AAA Authentication Settings\ Default Authentication Type.  This was set to LOCAL, I have now changed to LDAP (and set the LDAP settings in "Change Authentication LDAP Settings") but the GW VS still needs the local AAA Users/Groups with membership to function.


Apologies if this is a basic question but I am fairly new with NetScaler and just trying to understand how things fit together.

Link to comment
Share on other sites

To do LDAP group extraction on the NetScaler:

1) Create AAA group(s) on NS whose names exactly match the AD group name.   Normally, you do NOT need to create any AAA user accounts on the NetScaler nor put AAA users in the AAA groups, so you can rely on group extraction only. Then any policies you require are applied to vpn vserver OR to AAA group.


2) When configuring your LDAP authentication profile (action), you may be missing some settings. So you may want to share this part of your config.

The basic example would look like this: (example domain.com)

add authentication ldapaction auth_ldap_srv   -serverIP x.x.x.x -ldapBase "DC=domain,DC=com"   -ldapBindDN aduser@domain.com  -ldapBindDNPassword Password1 -ldaploginName sAMAccountName -groupAttrName memberOf -subAttributeName CN 


The important part is to configure the Group Attribute Name of "memberOf" to ensure the group membership list is returned. NOTE: the NS will not retrieve "Domain Users" but all other ad groups will be retrieved and you will then see this in /tmp/aaad.debug


Then you manage usernames/passwords and user membership in groups in AD only; and just manage matching group names and any group level policies on the NetScaler.


So if group extraction isn't working, then you have an issue with your policy profile settings.


Also: NetScaler does not do nested group extraction by default. But it can be enabled in the GUI when editing the profile if needed.



  • Like 1
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...