Jump to content
Welcome to our new Citrix community!

Trouble with creatig a MFA Authentification Profil Rule


Recommended Posts

Hello,

 

days passed by searching a solution. Maybe someone can help me.

English is not my nativ Language. feel free to Answer in German.

 

I have a Gateway Login for Virtuell Apps and Desktop

I implement a Imprivata Token solution. So User get only Access via One Time Tokencode.

In first try with DualAuth Loginschema it works great. The User enters LDAP User and Passwort + Tokencode.

Now i wanted to implement a step-by-step Login (for better User experience) with the Possibility to skip MFA (For Debuging or special Users from a special Subnet)

But my "switch" don´t work as i except. User can access with Token but User who are allowed to skip MFA are forced to enter the Tokencode too.

 

As found on carlstalhood.com i extracted may last try.

At first i do a Group extraction ("Authentication" on LDAP Server is NOT Marked)  because i don´t know if i can create a Policy with "Member of" without this.

Can somebody explain me: When creating a Authentication Policy, will the Expression will take User information befor or after Action ?

I don´t understand at what Point i can work with LDAP Groups and at what Point Netscaler has or has not this information.

 

After this i check if the User is in "CTX001003ADC-GW_dev01" the LDAP Server here has "Authentication" marked and i have a searchfilter on it.

At least i chef if User is in "OhneMFA" Group to skip MFA but it does not Work. If not goto Token Authentication.

 

Sadly i have testet so many things I am absolute Confused.

# ** nFactor Visualizer 
# ** ------------------ 
# ** AAA vserver: Auth_VS_Kunde1_Imprivata
# **    Login Schema Policy = Auth_Login_Schema_POL_Kunde1
# **       Priority = 100
# **       Rule = true
# **       Login Schema XML = "/nsconfig/loginschema/Auth_LoginSchema_Kunde1_1stFaktor_letzterTest.xml"
# **    Adv Authn Policy = DEV_AuthPol
# **       Priority = 100
# **       Rule = true
# **       Action = ldapAction named DEV_LDAP_groupextration
# **       Goto if failed = NEXT
# **       Next Factor if Success = DEV_AuthLabel_1_usergrant
# **          Login Schema Profile = LSCHEMA_INT
# **          Adv Authn Policy = DEV_AuthPol_UserauthwithGroup
# **             Priority = 100
# **             Rule = true
# **             Action = ldapAction named NSC-LB-LDAP.Betreiber1.net_Kunde1
# **             Goto if failed = NEXT
# **             Next Factor if Success = DEV_SwitchskipMFA
# **                Login Schema Profile = LSCHEMA_INT
# **                Adv Authn Policy = DEV_noauth_onlyexpression
# **                   Priority = 90
# **                   Rule = "AAA.USER.IS_MEMBER_OF(\"CTX001003ADC-GW_dev01_OhneMFA\")"
# **                   Action = NO_AUTHN
# **                   Goto if failed = NEXT
# **                Adv Authn Policy = Auth_POL_Kunde1_MFA_1stFaktor
# **                   Priority = 110
# **                   Rule = true
# **                   Action = ldapAction named NSC-LB-LDAP.Betreiber1.net_Kunde1
# **                   Goto if failed = NEXT
# **                   Next Factor if Success = Auth_POLLABEL_Kunde1_MFA
# **                      Login Schema Profile = Auth_Login_Schema_Kunde1_2ndFaktor
# **                      Login Schema XML = "/nsconfig/loginschema/Auth_LoginSchema_Kunde1_2ndFaktor.xml"
# **                      Adv Authn Policy = Auth_POL_Kunde1_MFA_2ndFaktor
# **                         Priority = 100
# **                         Rule = true
# **                         Action = radiusAction named Auth_Radius_Imprivata
# **                         Goto if failed = NEXT

add authentication ldapAction DEV_LDAP_groupextration -serverName nsc-lb-ldap.Betreiber1.net -serverPort 636 -ldapBase "DC=Betreiber1;DC=net" -encrypted -encryptmethod ENCMTHD_3 -ldapLoginName sAMAccountName -groupAttrName memberOf -secType SSL -ssoNameAttribute cn -authentication DISABLED -nestedGroupExtraction ON -groupNameIdentifier sAMAccountName -groupSearchAttribute memberof -groupSearchSubAttribute CN
add authentication ldapAction NSC-LB-LDAP.Betreiber1.net_Kunde1 -serverName NSC-LB-LDAP.Betreiber1.net -serverPort 636 -ldapBase "DC=Betreiber1,DC=net"  -encrypted -encryptmethod ENCMTHD_3 -ldapLoginName sAMAccountName -searchFilter "memberOf:1.2.840.113556.1.4.1941:=CN=CTX001003ADC-GW_dev01,OU=Groups,OU=Betreiber1-it,DC=Betreiber1,DC=net" -groupAttrName memberOf -secType SSL -ssoNameAttribute cn -authentication DISABLED -passwdChange ENABLED
add authentication policylabel DEV_AuthLabel_1_usergrant -loginSchema LSCHEMA_INT
bind authentication policylabel DEV_AuthLabel_1_usergrant -policyName DEV_AuthPol_UserauthwithGroup -priority 100 -gotoPriorityExpression NEXT -nextFactor DEV_SwitchskipMFA
add authentication policylabel DEV_SwitchskipMFA -loginSchema LSCHEMA_INT
bind authentication policylabel DEV_SwitchskipMFA -policyName DEV_noauth_onlyexpression -priority 90 -gotoPriorityExpression NEXT
bind authentication policylabel DEV_SwitchskipMFA -policyName Auth_POL_Kunde1_MFA_1stFaktor -priority 110 -gotoPriorityExpression NEXT -nextFactor Auth_POLLABEL_Kunde1_MFA
add authentication policylabel Auth_POLLABEL_Kunde1_MFA -loginSchema Auth_Login_Schema_Kunde1_2ndFaktor
bind authentication policylabel Auth_POLLABEL_Kunde1_MFA -policyName Auth_POL_Kunde1_MFA_2ndFaktor -priority 100 -gotoPriorityExpression NEXT
add authentication loginSchema Auth_Login_Schema_Kunde1_2ndFaktor -authenticationSchema "/nsconfig/loginschema/Auth_LoginSchema_Kunde1_2ndFaktor.xml"
add authentication loginSchema Auth_Login_Schema_Kunde1_1stFaktor -authenticationSchema "/nsconfig/loginschema/Auth_LoginSchema_Kunde1_1stFaktor_letzterTest.xml" -userCredentialIndex 1 -passwordCredentialIndex 2 -SSOCredentials YES
add authentication Policy DEV_AuthPol -rule true -action DEV_LDAP_groupextration
add authentication Policy DEV_AuthPol_UserauthwithGroup -rule true -action NSC-LB-LDAP.Betreiber1.net_Kunde1
add authentication Policy Auth_POL_Kunde1_MFA_1stFaktor -rule true -action NSC-LB-LDAP.Betreiber1.net_Kunde1
add authentication Policy DEV_noauth_onlyexpression -rule "AAA.USER.IS_MEMBER_OF(\"CTX001003ADC-GW_dev01_OhneMFA\")" -action NO_AUTHN
add authentication Policy Auth_POL_Kunde1_MFA_2ndFaktor -rule true -action Auth_Radius_Imprivata
add authentication radiusAction Auth_Radius_Imprivata -serverName x.Betreiber1.net

 

Link to comment
Share on other sites

For the following, try goto = END instead of NEXT.

 

bind authentication policylabel DEV_SwitchskipMFA -policyName DEV_noauth_onlyexpression -priority 90 -gotoPriorityExpression END

 

Another option is to change the 1stFaktor policy rule to this:

 

add authentication Policy Auth_POL_Kunde1_MFA_1stFaktor -rule "AAA.USER.IS_MEMBER_OF(\"CTX001003ADC-GW_dev01_OhneMFA\").NOT"

  • Like 1
Link to comment
Share on other sites

19 minutes ago, Patrick Missun1709161272 said:

Now i wanted to implement a step-by-step Login (for better User experience) with the Possibility to skip MFA (For Debuging or special Users from a special Subnet)

But my "switch" don´t work as i except. User can access with Token but User who are allowed to skip MFA are forced to enter the Tokencode too

 

 

20 minutes ago, Patrick Missun1709161272 said:

At first i do a Group extraction ("Authentication" on LDAP Server is NOT Marked)  because i don´t know if i can create a Policy with "Member of" without this.

Can somebody explain me: When creating a Authentication Policy, will the Expression will take User information befor or after Action ?

I don´t understand at what Point i can work with LDAP Groups and at what Point Netscaler has or has not this information.

 

NFactor has a lot of moving parts and as you said, there's so many parts its hard to know what's going on. 

So, when possible, simplify things during the initial testing and then build to the final solution.

 

This example, does a good job of setting up the following NFACTOR flow; which should help you model what you are going for:

https://support.citrix.com/article/CTX220793

1) Do LDAP Group Extraction:  Schema (interface 1):  username only

2a) if GroupA, do single-factor authentication:  Schema (interface 2a): password only

2b) Otherwise, do two-factor authentication (LAP + Radius), based on username from (1);  Schema (Interface 2b):  password/radius

 

Next, let's help out with some of the elements you were asking about, before trying to put this together.

1) Your Question: Can somebody explain me: When creating a Authentication Policy, will the Expression will take User information befor or after Action ?  

This probably requires going over the policy binding considerations.

If you multiple policies in the same factor (bind point), then they act like a policy cascade and are processed as an OR condition.  First policy match occurs qualifies as authentication for that factor. If that policy has a "NEXT FACTOR" specified (aka a policy label), then additional authentication requirements will be processed based on the NEXT FACTOR.

So policies in same bind point are in an OR/CASCADE relationship.  And policies chained in a NEXT_FACTOR are in an AND/nfactor relationship to their triggering policy.

 

So for for the first part of the question. essentially when is user information like "Group" avaialble for use, it depends on this binding. (This is also affecting when your user will see a single factor vs. a two factor prompt.)

 

You have to have received the user information BEFORE you can evaluate groups in later policy expressions.  So as long as your group Extraction policy is higher priority, then the policies saying "http.req.user.is_member_of("<group>") should be fine.  In other cases, you can delay this evaluation until the next factor.

 

 

 

For the two-factor authentication policies, the trick is to make sure the prompt for the token only shows up when it needs to be processed, which means in a separate factor and not seen in the policy cascade if it should only be seen in some scenarios vs others.

 

2) So how to fix what you built up there.

That's a little harder to interpret.  

But my recommendation, 1) check the individual authentication first without nfactor to make sure that domain only and domain/radius (imprivata) all works as expected individually.  That way  you are only troubleshooting nfactor and not the underlying policies.

 

2) Then, maybe used the example article as a simple group extraction single factor vs. two-factor mock up just to see if it a) does what you want and b) see if it helps you spot the problem in your current config.  Then you might have an easier time tweaking it to meet your final results.

 

 

 

 

 

 

 

 

 

screenshot_nfactor1_Page_1.jpg

Link to comment
Share on other sites

# AAA Global Settings
# -------------------
# *** AAA feature is not enabled


# LDAP Actions
# ------------
add authentication ldapAction LDAP_033_RemoteAccess -serverName NSC-LB-LDAP.Betreiber1.net -serverPort 636 -ldapBase "DC=Betreiber1,DC=net" -ldapBindDn srv@Betreiber1.net -ldapBindDnPassword  -encrypted -encryptmethod ENCMTHD_3 -ldapLoginName sAMAccountName -searchFilter "memberOf:1.2.840.113556.1.4.1941:=CN=CTX001003ADC-GW_dev01,OU=Groups,OU=Betreiber1,DC=Betreiber1,DC=net" -groupAttrName memberOf -secType SSL -ssoNameAttribute cn -passwdChange ENABLED

# *** LDAP certificate verification Root certificates are in /nsconfig/truststore


# RADIUS Actions
# --------------
add authentication radiusAction Auth_Radius_Imprivata -serverName NSC-LB-RADIUS-IMP.Betreiber1.net -serverPort 1812 -radKey XYZ -encrypted -encryptmethod ENCMTHD_3 -radNASid NSC-DEV01-Auth


# Advanced Authentication Policies
# --------------------------------
add authentication Policy Auth_Pol_033_RemoteAccess -rule true -action LDAP_033_RemoteAccess
add authentication Policy Auth_Pol_033Kunde_SkipMFA -rule "AAA.USER.IS_MEMBER_OF(\"CTX001003ADC-GW_dev01_OhneMFA\")" -action NO_AUTHN
add authentication Policy Auth_Pol_033Kunde_toToken -rule true -action NO_AUTHN
add authentication Policy Auth_Pol_033Kunde_Radius_Token -rule true -action Auth_Radius_Imprivata

# Login Schemas
# -------------
add authentication loginSchema Auth_LoginSchema_033_MFASwitch_noSchema -authenticationSchema noschema
add authentication loginSchema Auth_Login_Schema_Kunde_2ndFaktor -authenticationSchema "/nsconfig/loginschema/Auth_LoginSchema_Kunde_2ndFaktor.xml"
add authentication loginSchema Auth_Login_Schema_Kunde_1stFaktor -authenticationSchema "/nsconfig/loginschema/Auth_LoginSchema_Kunde_1stFaktor_letzterTest.xml" -userCredentialIndex 1 -passwordCredentialIndex 2 -SSOCredentials YES

# Login Schema Policies
# ---------------------
add authentication loginSchemaPolicy Auth_Login_Schema_POL_Kunde -rule true -action Auth_Login_Schema_Kunde_1stFaktor

# Authentication Policy Labels
# ----------------------------
add authentication policylabel Auth_PolLabel_033Kunde_SwitchMFA -loginSchema Auth_LoginSchema_033_MFASwitch_noSchema
bind authentication policylabel Auth_PolLabel_033Kunde_SwitchMFA -policyName Auth_Pol_033Kunde_SkipMFA -priority 100 -gotoPriorityExpression END
bind authentication policylabel Auth_PolLabel_033Kunde_SwitchMFA -policyName Auth_Pol_033Kunde_toToken -priority 110 -gotoPriorityExpression NEXT -nextFactor Auth_PolLabel_033Kunde_2ndFaktor_Token

add authentication policylabel Auth_PolLabel_033Kunde_2ndFaktor_Token -loginSchema Auth_Login_Schema_Kunde_2ndFaktor
bind authentication policylabel Auth_PolLabel_033Kunde_2ndFaktor_Token -policyName Auth_Pol_033Kunde_Radius_Token -priority 100 -gotoPriorityExpression END

# Authentication Virtual Servers
# ------------------------------
add authentication vserver Auth_VS_Kunde_Imprivata SSL 0.0.0.0
bind authentication vserver Auth_VS_Kunde_Imprivata -policy Auth_Login_Schema_POL_Kunde -priority 100 -gotoPriorityExpression END
bind authentication vserver Auth_VS_Kunde_Imprivata -policy Auth_Pol_033_RemoteAccess -priority 100 -nextFactor Auth_PolLabel_033Kunde_SwitchMFA -gotoPriorityExpression NEXT

# ** nFactor Visualizer 
# ** ------------------ 
# ** AAA vserver: Auth_VS_Kunde_Imprivata
# **    Login Schema Policy = Auth_Login_Schema_POL_Kunde
# **       Priority = 100
# **       Rule = true
# **       Login Schema XML = "/nsconfig/loginschema/Auth_LoginSchema_Kunde_1stFaktor_letzterTest.xml"
# **    Adv Authn Policy = Auth_Pol_033_RemoteAccess
# **       Priority = 100
# **       Rule = true
# **       Action = ldapAction named LDAP_033_RemoteAccess
# **       Goto if failed = NEXT
# **       Next Factor if Success = Auth_PolLabel_033Kunde_SwitchMFA
# **          Login Schema Profile = Auth_LoginSchema_033_MFASwitch_noSchema
# **          Login Schema XML = noschema
# **          Adv Authn Policy = Auth_Pol_033Kunde_SkipMFA
# **             Priority = 100
# **             Rule = "AAA.USER.IS_MEMBER_OF(\"CTX001003ADC-GW_dev01_OhneMFA\")"
# **             Action = NO_AUTHN
# **             Goto if failed = END
# **          Adv Authn Policy = Auth_Pol_033Kunde_toToken
# **             Priority = 110
# **             Rule = true
# **             Action = NO_AUTHN
# **             Goto if failed = NEXT
# **             Next Factor if Success = Auth_PolLabel_033Kunde_2ndFaktor_Token
# **                Login Schema Profile = Auth_Login_Schema_Kunde_2ndFaktor
# **                Login Schema XML = "/nsconfig/loginschema/Auth_LoginSchema_Kunde_2ndFaktor.xml"
# **                Adv Authn Policy = Auth_Pol_033Kunde_Radius_Token
# **                   Priority = 100
# **                   Rule = true
# **                   Action = radiusAction named Auth_Radius_Imprivata
# **                   Goto if failed = END

 

At first @ Carl Stalhood:

Sadly nothing of it helped. But Thanks a lot for your Answer !

Maybe you can answer me a other Question ?

Why the Extractor shows me "# *** AAA feature is not enabled" ? "AAA - Application Traffic" is enabled and there is no Yellow ! .

And why is ist called "Goto if failed = NEXT" ? Did i miss understand something ?

 

Second Rhonda Rowland:

Thank you for your explanations.

Now Some Parts are a little bit clearer.

In the beginning I testet every Single Part of my Setup and I can say: Every Part works on it own. If i try Only LDAP OR Only Radius. It works immediately

So I am thinking its all about my nFactor steps and decision Policies

 

One Part is actually unclear. Maybe i understand your explanation wrong.

If i Create a Authentication Policy. (Complete stand alone no other Policy is set)

I can set a Action Type, Action and Expression.

When this Policy is used. How Netscaler is working on it ?

1. Netscaler looks at Expression. If merge. Action will be execute ? (So if my expression has a LDAP Group Netscaler has no Information about the Users Group at this Point)

2. Netscaler take Action after this Netscaler look at Expression if User merge ?

 

 

I found different Citrix Knowledgebase article but i give a try on https://support.citrix.com/article/CTX220793 as you mention.

Case two of this article is exactly what i need.

The only different from your Picture at the end to this/my senario:

I don´t want to enter Username -> Button -> Password -> Button -> Optional 2nd Faktor

I want: Username + Password -> Button -> Optional 2nd Faktor.

 

Back to Citrix article - I delete all my old Config and rebuild it like suggested in the article.

After all i think the Setup looks absolute likely to my initial Version i build. But ok maybe i have done a failure....

But even here. Skipping the 2nd factor don´t work. My both Test user are forced to enter Tokencode while one of my Test user are allowed to Skip this via LDAP Group.

So i think there is only one Problem.

My "Member of" Policy don´t work. I don´t know why.

Only for my own i tested AAA.User.Is_member_of AND HTTP.REQ.USER.IS_MEMBER_OF. But no Different.

Based on Carl Stahlhood. I tested HTTP.REQ.USER.IS_MEMBER_OF().NOT if there is a chance but sadly no.

 

I don´t know what to do.

Maybe its easier to drop down this ***** and create a dedicated login Gateway for Single Faktor User.

Link to comment
Share on other sites

A couple of quick things:

 

34 minutes ago, Patrick Missun1709161272 said:

And why is ist called "Goto if failed = NEXT" ? Did i miss understand something ?

The GOTO expression being NEXT or END determines whether we keep looking for more policies after policy is SUCCESSFUL; not on failure.

 

Allows the advanced engine to change from END == first match, then out behavior where it only finds first matching policy and the ability  to use NEXT to find multiple policy matches (mostly used in rewrite, but has uses in nfactor too).

Normally, when policies are bound to a bind point.   The GOTO expression is set to END.  If you have three policies bind, P1, P2, P3. If P1 is true, you take the action and there is no need to look at P2 and P3 as they are lower policies. So END means, on match stop looking for additional policies.  If P1 did not match, we would have evaluated P2 (then P3) anyway.  The END only affects what happens after a policy matches.  If doing multi factor, you can make sure the final factor in one flow is set to GOTO END to stop looking for additional policies in prior bind points.

 

So in an authentication flow, most OR conditions are in the same bind level. And GOTO END is usually used, so that upon first matching policy, you don't need to evaluate any other policies.  However, if you have

P1_ldaponly, matches, but its GOTO is NEXT, the you also have 

P2_radius, bound.  Then you will likely process P2_radius even if P1_ldaponly matches.

 

 

Group Extaction:

40 minutes ago, Patrick Missun1709161272 said:

My "Member of" Policy don´t work. I don´t know why.

Only for my own i tested AAA.User.Is_member_of AND HTTP.REQ.USER.IS_MEMBER_OF. But no Different.

Based on Carl Stahlhood. I tested HTTP.REQ.USER.IS_MEMBER_OF().NOT if there is a chance but sadly no.

There's not enough info to troubleshoot this as group extraction is dependent on policy settings such as do you have the right parameters.

For both your group extraction policy and the actual ldap policies, do you have the Group Attribute listed as memberOf?  This parameter allows ADC to retrieve groups from ldap.

Next the group you look for on the ADC must be the exact group name the user belongs to in AD.

By default, nested group extraction is not enabled so we're also usually only looking at the groups the user is a direct member of and not the groups those groups belong to.

This is all configurable.

 

You can view the user authentication event via aaad.debug to see the list of groups the ADC is retrieving and see if they match the group(s) you are looking for in your policy:

shell

cd /tmp

cat aaad.debug

 

# this is a named pipe; after starting the cat, you can do the login and see the full authentication details. Partway through the list of groups the user belongs to is retrieved.

Easier to view without a lot of other activity on system.

 

Regarding your schema interface presentation:

[quoted from you] The only different from your Picture at the end to this/my senario:

I don´t want to enter Username -> Button -> Password -> Button -> Optional 2nd Faktor

I want: Username + Password -> Button -> Optional 2nd Faktor.

 

I would still try to get the original example to work first, because that will mean it is completing and all the elements work.

If you want to have users prompted in step 1) username/password, then you might as well do ldap authentication first and not group extraction with a delayed interface.

The problem, this makes prompting for the radius token on its own a little more complicated as you will likely need a custom schema and you need to carry the username from part 1 forwards.

 

This would be a different policy/schema flow than what the examples are showing you.  

Link to comment
Share on other sites

Thank you for your fast response.

 

17 minutes ago, Rhonda Rowland1709152125 said:

Group Extaction:

[,,,]

I checked the "Group Attribute" on LDAP Action. I have set "memberOf".

I will take a look at aaad.debug.

 

17 minutes ago, Rhonda Rowland said:

Regarding your schema interface presentation:

[quoted from you] The only different from your Picture at the end to this/my senario:

I don´t want to enter Username -> Button -> Password -> Button -> Optional 2nd Faktor

I want: Username + Password -> Button -> Optional 2nd Faktor.

 

I would still try to get the original example to work first, because that will mean it is completing and all the elements work.

If you want to have users prompted in step 1) username/password, then you might as well do ldap authentication first and not group extraction with a delayed interface.

The problem, this makes prompting for the radius token on its own a little more complicated as you will likely need a custom schema and you need to carry the username from part 1 forwards.

 

This would be a different policy/schema flow than what the examples are showing you.  

 

Yeah ok. I have the feeling this will not work too but however maybe there is a way to find the error.

If i manage to setup tomorrow i will give you a feedback on this.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...