Jump to content
Welcome to our new Citrix community!

Query re 2FA and SFA


Chris C

Recommended Posts

All, Hello. I have not used Citrix since 2008 but I have been asked to look into a logon query for an new employer.

 

Environment: Storefront 3.12/ Netscaler 11.* / DUO / Windows AD

 

Example we have 2 groups of customers, 1 group logon through (SFA.gateway.co) the 2nd group logon through (2FA.gateway.co)

 

The 2FA group can still go to SFA.gateway.co.uk and gain access

 

Citrix have said we cannot achieve separation without using IP white/black listing, we have found the following https://support.citrix.com/article/CTX111079    Am I on the right track? 

 

Ideally we would like a single gateway that by using groups pulled from AD would either log a user in or send a DUO request for further authentication.

 

Apologies for the rubbish description.

Link to comment
Share on other sites

IF the deciding criteria for who gets single-factor and who gets 2fa with duo is based on user group membership (and not the hostname they used to connect), then a group extraction policy should work based on this article:  https://support.citrix.com/article/CTX220793

 

Put users requiring DUO/SFA into a group called 2FArequired (or whatever you want to call it).

When users login, prompt for username. The group extraction policy runs, if 2FARequired group membership you will do the ldap password + duo 2FA flow.  If other group, give them the single factor ldap password only requirement.

 

Edit: your article and my article are for the same scenario; i think the ctx220793 is a little easier to follow for a first time test. But you are on the right track.

As long as you don't have overlapping group membership. If other factors are at play like which hostname a user uses or if a user could sometimes be single factor and others two factor...it may be possible to implement, but other criteria is needed.

 

Edited by Rhonda Rowland
clarification
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...