Jump to content
Welcome to our new Citrix community!

ADC NS13.0 84.11.nc Provide Multiple Options for MFA on Single GW


Recommended Posts

We are in an environment where users have different MFA authenticators. Some are simply OTP and others use a mobile app with push notifications.

 

Our goal is to allow both MFA methods on a single Citrix Gateway. Is the best way to accomplish this to create an nFactor flow?

 

The ADC I am testing on only has a basic license, so I am unable to edit login schemas - but I think I can still work with nFactor flows. 

 

I have created a new Authentication Virtual Server, and bound an nFactor flow to it. However, the VS shows down, and I am not sure why.

 

Since I am fairly new to nFactor, I may be going about this incorrectly and there is a better solution. Any advice or guidance is greatly appreciated!

 

 

Link to comment
Share on other sites

48 minutes ago, Rhonda Rowland1709152125 said:

Your authentication vserver has to have a cert bound AND if you are on standard edition may only be supported if non-addressable. (meaning no VIP assigned and marked non-addressable in the drop down list). Standard edition can only use authe vservers in a limited fashion.

Thank you Rhonda.

I do have the auth vserver set to non-addressable. I do not have a cert bound, so I will look into that. 

Yes standard license does seem limited, but I know I can at least create an auth vserver and bind an advanced auth policy to it. This is what I did for the push notifications, and it worked. 

Now to give users an alternative to push, would you think nFactor flows are the best way to achieve this? Or is there perhaps and advanced auth policy that could do the same thing?

Link to comment
Share on other sites

Authe vservers are SSL vservers; just like the vpn vserver and will be down if no cert is bound.

CLI will show this as a reason:  show authentication vserver. Or if the issue is for some other reason.

GUI may show this is if you find the "info" i icon.

 

May also be down if Authentication (AAA) feature is not enabled in the feature list.  

  • Like 1
Link to comment
Share on other sites

21 hours ago, Rhonda Rowland1709152125 said:

Authe vservers are SSL vservers; just like the vpn vserver and will be down if no cert is bound.

CLI will show this as a reason:  show authentication vserver. Or if the issue is for some other reason.

GUI may show this is if you find the "info" i icon.

 

May also be down if Authentication (AAA) feature is not enabled in the feature list.  

 

The Auth VS came up after I bound a cert to it. Couldn't find a GUI method, but was able to bind via the CLI. Thank you for that recommendation.

Now to figure out nFactor flows. Any idea if I could run into a licensing issue with this? I know I can't edit schemas, but might not have to.

 

Link to comment
Share on other sites

2 hours ago, Rhonda Rowland1709152125 said:

You should be fine; I'll try to find the aaa in standard info later if someone else can't find it first.

 

Looks like I can change login schemas inside my nFactor flows, however, I must use the default template associated with each schema. I am unable to change or edit a template under any given schema. Unless there is some way around this. We do have the Advanced license on our production ADC, just the dev node has the basic license. I think being able to edit the schema templates is what we need to accomplish our goal. 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...