Jump to content
Welcome to our new Citrix community!

Authentication LDAP Server, deny logon if users are members of a specific group

Recommended Posts



I'm using NetScaler Gateway and are using LDAP in Primary Authentication.


I want to create a configuration that detects and deny's access to logon if a users member of a specific group.

The configuration will allow access for al other groups until the user becomes a member of a specific group. i.e. "netscaler-deny-access"


How would I go about to create such a configuration?

any links? examples? AAA?


Kind Regards.

Link to comment
Share on other sites

Carl's right. But there are lots of ways to do this.

1) Change the authentication profile to include a filter criteria that looks for the not in group that carl gave you.  This will actually prevent the members of the target group from completing login.

2) OR you can work with regular Authorization policies and define the group names on the ADC same as the group names in AD and then bind authorization policies that say DENY to the excluded groups (at a higher importance) than any policies and have other policies bound at the group or vserver level (for this use a session policy to make allow/deny) decisions that are set to allow.  Remember priority 10 is more important than 100 (depending on whether you are still using classic or advanced engine policies will affect if you have any other considerations.

This would allow the users to complete login, but they would be denied authorization rights to access the resource.


3) Other variants would be to have a default deny policy, and then use the session policy to set allow behavior with an expression of !http.req.user.is_member_of ("<groupname>")  (the actual expression may be slightly off as I'm doing it from memory.) This will also process in the authorization phase post login. 

  • Like 2
Link to comment
Share on other sites

Thanks for the details, very helpful.


Is it possible to configure a "default" deny, as part of an nFactor authentication flow.  I have an Authentication Policy Label configured as follows:


Priority  99

Policy Name: LDAP


Goto Express: Next 

Next Factor: Ldap Auth


Priorty 100

Policy Name: RADIUS


Goto Express: Next 

Next Factor: Radius Auth


This all works great when the user is a member of NOMFA or ENFORCEMFA groups, however users who are not members of these groups get "No active policy during authentication".  Ideally I wanted an access denied for users who are not members of these groups.  


Is it possible to add another policy at say Priority 101 which somehow stops authentication and denies access?  


I see carls link https://support.citrix.com/article/CTX111079 mentions that an LDAP search can be made but I was ideally trying to handle this with nFactor instead of using the Primary/Secondary authentication.


I understand authorization policies are applied after login so I was thinking if possible can nFactor deny by default and allow allow users who are members of two group to pass through the nFactor auth flow (ideally with the access denied rather than "No active policy during authentication")


Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...