Citrix ADC 13.1 Drop-Down RfWebUI Theme

[Björn Schläfli]

Since Netscaler 11 I've used X1 theme with rewrite policy to create a drop-down to use this cookie to send users based on selection to different receiver for web sites by session policies / actions. Following How to Add Drop-Down Menu with Domain Names on Logon Page for NetScaler Gateway 11.0 64.x and Later (citrix.com). 

Lately I've updated to 13.1. X1 is deprecated and has to be replaced by RfWebUI Theme. The rewrite solution does not work with RfWebUI. How can I create a custom drop-down from which I can get users selection? Is that still possible? We currently also have a java script function in gateway_login_form_view.js that I would have to reconfigure somewhere.

[Rhonda Rowland1709152125]

You use the drop down via the login schemas and nfactor policies (whether you actually need an nfactor flow or not).

Either a drop down list can be part of the regular username, password, <domain> login OR you can use a domain drop down first that then allows you to change which atuhentication flow you use per domain.

 

 

[Björn Schläfli]

I've already done some reading in nFactor. I can create a drop-down with a login scheme, but how can I forward the user to the appropriate storefront based on the selected domain?

First authentication is radius on a system which is not in my competence and second is ldap with noauth (used only to read attributes and use a special one for redirections).

[Rhonda Rowland1709152125]

You probably need the LDAP to actually perform authentication, otherwise you are radius only.

But the domain drop down list sets a value that you can use to trigger the subsequent authentication policies if applicable AND that value can also used as a trigger for later session policies.

 

One of several examples, using the nfactor visualizer wizard:

https://docs.citrix.com/en-us/citrix-adc/current-release/aaa-tm/configure-domain-drop-down-username-and-password.html

If you use the default schema and jsut change the display names, then your session policies would see domain1 as AAATM.com and domain2 as NSI-test.com. If you change the drop-down list values when editing the schema, you can make it look for domain1 and domain2 names that you are using in the display field as well.

 

So, the session policy triggers for store1 vs store2 would be something like this:

There's a couple of different end results, depending on which example is used:

NOTE: these are all case-senstive, so have to exactly match the "value" in the drop-down login schema setup:

HTTP.REQ.BODY(50000).CONTAINS("NSI-test.com")

HTTP.REQ.BODY(50000).CONTAINS("AAATM.com")

 

HTTP.REQ.BODY(50000).CONTAINS("domain1.com")

HTTP.REQ.BODY(50000).CONTAINS("domain2.com")

 

The reference above, uses the expression like:

http.req.body(500).after_str("domain=").contains("NSI-TEST.COM")

http.req.body(500).after_str("domain=").contains("AAATM.COM")

 

[Björn Schläfli]

Hi Rhonda,

many thanks for your great explanations. I've created the nFactor flow and the session policys with HTTP.REQ.BODY(500).CONTAINS("mydomain") and it's working. 

Thank you very much!