Jump to content
Welcome to our new Citrix community!

nfactor + domain dropdown + password + passcode + all in one screen

Recommended Posts


I have a request to change the authentication for a VPN where currently the users currently authenticate using classic policies: pre-authentication -  domain check, authentication - user, password and passcode to support two domains.

Pre-authentication policies are deprecated so I need to use nfactor.

The logon screen need to have all fields: user, password, passcode and domain drop box.  But I cannot find a way to authenticate the user.

In nfactor flow I added an epa factor which work ok (no schema).

Then the next factor is the actual main screen with all the elements described above (custom schema, copy of DualAuth.xml and added drop down for domains).

Then I added a decision block to select the domain.

The next factor is LDAP based on selected domain (no schema).

The next factor is RADIUS (no schema).

It seems the credentials do not pass from the first screen to the last two factors.

I am wondering if anybody encountered this before and how to solve it if possible.

Link to comment
Share on other sites



there are different nFactor-Flow-Ways to achieve this - but let's talk about your setup and just two ideas what could be missing in your setup, as you wrote the credentials do not pass from previous factors.


1. To pick to entered Username from the first factor to be entered in further factors (with Read-Only) checkout the ${AAA.USER.NAME} Value in your LoginSchema XML. An example:




2. To give ADC infos about which field is Username and which is Password, to transfer into further factors, check your credential index for Username and Password in your LoginSchema:




Hope this helps



Link to comment
Share on other sites

Thanks Julian. I noticed that if I used the decision block for domain selection, it broke the flow. Not sure if I made a mistake but once I took it out and changed a few things worked.


This is setup now:


First factor is domain membership. Works ok.

Second factor is the decision where the domains are selected. The schema is a customized DualAuth.xml and added the dropdown combo box from DomainDropdown.xml.

The two policies on second factor are NO_AUTH and are used to select the domain using these 2 expressions:




The ldap and radius factors have on schema (noschema) these below:

User expression (on both): aaa.LOGIN.USERNAME

LDAP Password Expression: aaa.LOGIN.PASSWORD

RADIUS Password Expression: aaa.LOGIN.PASSWORD2


Seems to work fine now. Still wondering if not using the decision block is a god decision. 


There is one annoying thing though. On VPN client, the users need to scroll now to select the domain. Do you know if this can be enlarged by default ?


image.png.9ebc475a2a80e804b94744f5c9c86900.png  image.png.c73ab3c2d153e8053230189b26b6c8e8.png

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...