Jump to content
Welcome to our new Citrix community!

How to enable MFA as a second authentication for ADC GUI admin login


Yousaf

Recommended Posts

Hello everyone, 

 

I'm planning to configure MFA to secure the ADC GUI, so the admin will have to use AD user/pass then second authentication will be Radius MFA

I found one article talking about exactly what I want to achieve, but unfortunately nothing worked with me so far.. I was able to enable the AD to login to ADC GUI

but that's it, there is no MFA .. does anyone have implemented MFA for GUI ? and if yes could you please give me the steps ? 

 

just wanted to mention my radius mfa server working fine, since I'm using it to authenticate the gateway/vpn etc, so my issue here is only what is the correct step to enable the mfa for ADC gui 

thank you all

Best regards  

 

 

https://support.citrix.com/article/CTX256000

https://docs.citrix.com/en-us/citrix-adc/12-1/system/ns-ag-aa-intro-wrapper-con/two-factor-authentication.html

 

Link to comment
Share on other sites

Which version of firmware are you on and you have to switch from classic to advanced authentication policies.

Build your LDAP and RADIUS policies in the advanced engine.

Create a "next factor" authentication bind point under the System Authentication policies section.  Bind Radius to the second factor bind point.

When you then bind your LDAP Policy on the System Authentication bind point, then specify the "next factor" as your custom bind point for radius.  

 

I can mock it up later if someone doesn't give you exact commands before then.

During testing ensure you have both policies processing and not just a cascade of one or the other (if done without MFA/next factor properly configured.)

Link to comment
Share on other sites

On 2/10/2022 at 9:50 AM, Rhonda Rowland1709152125 said:

Which version of firmware are you on and you have to switch from classic to advanced authentication policies.

Build your LDAP and RADIUS policies in the advanced engine.

Create a "next factor" authentication bind point under the System Authentication policies section.  Bind Radius to the second factor bind point.

When you then bind your LDAP Policy on the System Authentication bind point, then specify the "next factor" as your custom bind point for radius.  

 

I can mock it up later if someone doesn't give you exact commands before then.

During testing ensure you have both policies processing and not just a cascade of one or the other (if done without MFA/next factor properly configured.)

 

Hi Rhonda, 

 

thank you for your reply, I have 12.1 build 63.22 

and actually I followed the article above, exactly and still not able to make it working 

if you can provide me the commands and I will just modify it based on my LDAP/RSA ip/details etc

that would be appreciated thank you in advance ?

Link to comment
Share on other sites

If you're not getting second factor prompt at all, you have a different problem.  You have to have first policy bound and then configure the NEXT FACTOR to a policy label for the second policy to be in an AND condition. If you have two policies on the same bind point, you just have an OR condition and only one is required.

 

I'm having to do a temp mock up with just ldap and local accounts until I can get radius in the mix.  

The CLI seemed to work; but the GUI keeps giving me a invalid session/session timeout on a 13.0 build -- but I could still be something wrong, since I'm taking a number of shortcuts.  But this might help you get closer. Can't guarantee this fixes your problem though.

 

The basic setup is giving me the second prompt.  That's why if you can share the config you are trying and firmware it might be easier to spot whats wrong to fix yours without waiting for me to build a similar environment.  Basic structure should be something like this, to get the SECOND FACTOR prompt...but it might not be completely resolved yet even with a valid ldap/radius config.  If this still doesn't work for you, hopefully someone else can give you an answer.

 

## 1) Create System group name on ADC (to match ldap/radius group - if using group extraction). And assign necessary admin rights to System Group.

#       Update <ADCAdmins> with actual group name and adjust permissions if superuser is not required.

add system group <ADCAdmins>

bind system group <ADCAdmins> -policyName superuser 100

 

## 2) Create authentication actions/policies for LDAP and RADIUS (note only policies shown below); be sure both are set for proper user name format and group extraction)

add authentication policy authe_pol_ldap_domainA -rule true -action authe_act_ldap_domainA

add authentication policy authe_pol_radius -rule true -action authe_act_radius

 

## 3) Create PolicyLabel for Factor2 phase (with radius binding)

#        Note: Login Schema should be the default single factor schema. Gui will adjust.

#        After it works, you can worry about changing second factor display name; but we have to avoid breaking gui.

#   3a) Create login schema referencing default...

add authentication loginSchema lschema_sys_factor2 -authenticationSchema "/nsconfig/loginschema/LoginSchema/SingleAuth.xml"

#   3b) Create policy label (to act as next factor)

add authentication policylabel pl_sysauthe_factor2 -type RBA_REQ -loginSchema lschema_sys_factor2
#   3c) Bind second factor radius policy to policy label

bind authentication policylabel pl_sysauthe_factor2 -policyName authe_pol_local_demo2 -priority 100 -gotoPriorityExpression NEXT
 

## 4) Bind LDAP policy to System Global and then configure next factor to radius

bind system global authe_pol_ldap_demo1 -priority 100 -nextFactor pl_sysauthe_factor2 -gotoPriorityExpression NEXT
 

 

 

 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...