Jump to content
Welcome to our new Citrix community!

2FA for guest users only

Recommended Posts



Netscaler VPX is succesfully working with Citrix Gateway. At this point only LDAP authentication is being used. Now I want to set up a second password (2fa) for certain guest users, so that those users besides the ldap login, this guest user also needs a seperate password to authenticate. Can this be done? I was looking at creating local users on the Netscaler itself, but then I'm stuck at how to assign this secondary password for those specific users only. Now as a side note: all users are using Citrix workspace client except the guest users, they use the web logon. Is there a way to filter on that?


The license being used is a Citrix Netscaler VPX Standard License.


I haven't got much experience in Citrix Netscaler yet, so sorry for this newb question. Thank you.

Link to comment
Share on other sites

You can't easily do 1 factor for some and 2FA for others on a single vpn vserver if still using classic authentication policies (via the gateway's own primary/secondary flows.)

If you integrate gateway with an authentication vserver and use the advanced authentication policies with nfactor, then it is possible. (But your scenario does get a tad more complicated.)


You have several pieces to this:

1) one factor vs. two factor based on user group and/or user name is something you CAN do with Gateway + AAA/nfactor.  (Example referenced below.)

2)  I know your Standard License will let you create a non-addressable AAA authentication vserver for integration with Gateway.  However, I don't recall if you get full nfactor policies in standard. I *think* you do, but could be wrong.

3) NEXT, the easier way would be to make this decision based on user group BUT doing it based on whether you are connecting via WEB vs SERVICES client is trickier.   
Your gateway already looks at certain headers to determine whether to do the Store Web or Store Services path, if you can evaluate these during logon, then you should be able to use those headers based on connection type to trigger the authentication policies.   The group would be an easier trigger if possible.  


NFactor Example of LDAP for group A and LDAP/RADIUS for GroupB:

For reference, this isn't your exact scenario, but it is an example:  https://support.citrix.com/article/CTX220793

This particular scenario sets up a scenario where members of GroupA gets ldap only and GroupB gets two factor.  This scenario does do a user prompt first, then does a group extraction lookup, then based on group affects your next nfactor flows.


Link to comment
Share on other sites



Thank you for your reply. I thought nfactor did not work with Standard license. Are you sure about that? Maybe someone can confirm this?


Also a completely different question which I want to know, if you setup a nps with Azure MFA integration how does that work with a Citrix workspace client, Will it prompt for 2fa then or is this only for users authenticating via Storeweb? I found many tutorials, but I only see logon examples for Storeweb connections.


Thank you for the information. This helped me a lot already.

Link to comment
Share on other sites

You can use AAA authentication vservers with a Citrix ADC Standard Edition license in a non-addressable form only, because it was the ONLY way to get Gateway authentication from classic to advanced policies (they changed the licensing entitlement). However, I also do not know if this gives you full nfactor capabilities or not.

IF you can't do nfactor for this scenario, then your best option would be separate vpn vservers for access: one for 2fa and one for single factor if still using the classic engine.

Okay: license article found:  https://docs.citrix.com/en-us/citrix-gateway/current-release/authentication-authorization/nfactor-for-gateway-authentication.html

- Authentication vserver and advanced policies are supported in Standard Edition.

- Nfactor visualizer (aka wizard) is not

-NFactor policy configs can be done BUT limited to built in schemas; no custom schemas.

Because of the complexity of your scenario, I don't know if the entire thing can be built in standard; but you should be able to do a simple ldap vs ldap/radius mock up to see what is and isn't possible.



I do not know the answer to your MFA question, because sometimes the services client is in fact different for certain authentication scenarios.  Hopefully someone else can give you a more definitive.



Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...