Jump to content
Welcome to our new Citrix community!

nfactor with group extraction and certificate


Recommended Posts

Hello

 

 

My Goal is to connect to unified gateway with nfactor.

An AAA server is configured with following nfactor :

            1 . Radius (User/Pwd/Passcode)

                       

2. Group extractor

                        LUX à If user Member of group à Cert authentication

                        NOLUX à If user is not member à No auth

 

For NOLUX users it works

For LUX user, certificate is presented then error, invalid certificat displayed

 

On AAA server an SSL profile is bind with Device Authentication enable and certificate Optional. CA root and intermediate are bind also. Certificate is valid and not expired

On CS and UG another SSL profile with Deny ssl renegociation to NO.

 

NS13.0 58.30C

 

Thank you for your help

Link to comment
Share on other sites

If I read this right, you do ldap + radius first (username/pwd and passcode), but you have Radius only listed.  So are you doing the LDAP authentication or not?

Then if a member of a LUX group, prompt for cert next.

 

Is your cert accepting UPN or SAMAccountName and does this match how the user logged in in first factor?  In the cert policy what is your username format and do you have Two Factor ON or Off. if on, you need to do cert prompt first and then the ldap authentication. If off, then the cert alone is processed, but without a separate password prompt.

Do you have the proper cert links (certificate chain) created between the intermediate and root cert? So instead of binding them both as "CA" certs on the vserver, did you link the intermediate cert to its CA cert issuer?  And is the issuer of the client cert presented by the user?

 

Typically with nfactor configs, its a good idea to make sure the underlying authenticaiton processes work individually or as simple flows first, before building nfactor.  

So, does your client cert work without the need of a subsequent password verification (cert only) or is it actually (cert + password)?

If possible, isolate the client cert test (or cert + ldap if necessary) on its own and determine the issue. You may need to look in both syslog and the aaad.debug for authentication errors to understand the client cert failure.

 

One example with client cert + password:

This is the opposite example for you:  https://www.carlstalhood.com/nfactor-authentication-for-netscaler-gateway-11-1/#certauthnfactor (Search for  Certificate auth: If Successful, LDAP only. If Failure, LDAP+RADIUS) to find section.  Its actually 1a: client cert, followed by 1b: ldap only OR 2a: ldap and 2b: radius.

 

But you might try this first to determine if cert authentication is working and then you can try to rework for your required flow.

 

 

 

Link to comment
Share on other sites

  • 3 weeks later...

In fact password validation is done by radius.

That mean in Netscaler first authentication is Radius. Login Screen present User, Pwd, Passcode.

Then when authenticate I created an Ldap policy only to extract group.

If user is member of LUX group, next factor is Certificate. Inside certificate CN is SamAccountNAme

Alone Cert Authentication is working, alone Radius is working

I suspect, putting cert in second factor cause the issue

Link to comment
Share on other sites

If you can share your nfactor policy bindings it would help assist with troubleshooting.

Need authenitcation policy bindings to AAA and any policy labels (next factors) specified.

 

I had a student once think they had working client cert and realize the system was just letting anyone in (oops).  But we'll assume it is working.  But double check aaad.debug (shell; cd /tmp) to make sure there's not something else going on.

 

When users use the cert to authentication, do you require them to supply a password as well OR is the cert is self-contained like a dip card?

 

Here is one example of client cert after group extraction:  https://support.citrix.com/article/CTX201742

You might be able to mock this part up without radius and see if the group extraction + client cert works.

Then we can try to add the radius in first before this one.

 

 

 

 

 

 

Link to comment
Share on other sites

Thank for your help

Find attached some screenshot

I tested each authentication policy independently and it works

Issue is when cert authentication appear, netscaler ask me to choose a certificate, I choose one and I have an error message No active policy while trying to fallback from certifcation failure.

Root and Intermediate cert are bind on authentication servers

Username is present in Subject CN in certificate.

 

In aaad.debug no message after : Delegating cert auth to kernel for : "username"

adc-auth.pdf

Link to comment
Share on other sites

Your LUX cert policy show NO_AUTHN on the action though you do have the next factor.

 

My guess is you tested the second tier policies invidiually, CertLux and the other.

But nothing works with the LUX/NOLUX policy conditionals, because you are testing if user is member of a group, without doing a userprompt/group extraction policy first. so none of your conditional policies go into effect.

 

Step 1:  Its important to make sure your original cert policy (CertLux) actually works on its own.  a) setup a teset access point with cert mandatory and b) confirm a cert only authentication succeeds by confirming in aaad.debug and have no fallback authentication and a default deny unless authenticated. This way you can make sure the original cert processing wasn't failing and then allowing through anyway because it was set to optional.  << If this is a problem, we fix it first.

 

Step 2: For RADIUS authentication, confirm after user authenticates that group extraction is occurring and that for users of a GroupA vs GroupB you can trigger a simple allow or deny to make sure the group extraction is working properly for the groups you are triggering on.  AAAD.debug can help confirm, but i would setup settings with explicit allow/deny authorizations or allow/deny logins to confirm group extraction/expected group memberships work.

 

Step 3: Depending on these results, then we can look at whether the nfactor is working or not, or if you have one or two essential issues to troubleshoot first.

 

 

 

Link to comment
Share on other sites

  • 7 months later...
On 9/1/2020 at 3:25 PM, Christophe BEAUGRAND1709159268 said:

Thank for your help

Find attached some screenshot

I tested each authentication policy independently and it works

Issue is when cert authentication appear, netscaler ask me to choose a certificate, I choose one and I have an error message No active policy while trying to fallback from certifcation failure.

Root and Intermediate cert are bind on authentication servers

Username is present in Subject CN in certificate.

 

In aaad.debug no message after : Delegating cert auth to kernel for : "username"

adc-auth.pdf 127.83 kB · 3 downloads

was this ever resolved?

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...