Jump to content
Welcome to our new Citrix community!

Preauth before EPA


Kent Soumlderlund

Recommended Posts

Hmm - is it something wromg with the Forum. I dont get any info when someone has responded :(, even that I have "Follow"

 

But to my question:

  • I have a Authenbtication Policy with Action Type LDAP and Action my LDAP server
  • Expression "HTTP.REQ.HEADER("User-Agent").CONTAINS("CitrixReceiver")&&HTTP.REQ.HEADER("User-Agent").CONTAINS("Chromebook")"
  • If I try to bind that to my AAA virtual server I get
    • "Policy cannot be bound to specified policy label"
Link to comment
Share on other sites

You may need to show the other policies bound on AAA to see if a problem, to confirm order of processing.

And is your license Standard (which limits AAA) or Adv/Platinum?

 

However, any user connecting with CitrixReceiver (Workspace App) will not have a user-agent header indicating a chromebook or web browser values.  And web browser connections won't indicate CitrixReceiver either. 

 

You have two problems 1) whether you can do an user-agent header OR EPA scan in the context you are trying to do it and 2) this particular combo is never valid.

 

Issue 1) Standard license may have limits on which features of AAA can be in use. This may not be your issue, but it might also be related to the order you are doing a user-agent test compared to an epa and other scan.  1b) EPA scans can only be supported if you have the ccu (vpn licenses) and not just Ica proxy only.  While user-agent header tests shouldn't qualify, the error may be related to how you are doing other policy bindings (like a user-agent before something else). 

 

Quick syntax check:  In the GUI, these "outer" quotes wouldn't be included:     "HTTP.REQ.HEADER("User-Agent").CONTAINS("CitrixReceiver")&&HTTP.REQ.HEADER("User-Agent").CONTAINS("Chromebook")    IF that was just for entry into the forum, then ignore.  I would try with just the "receiver" expression or just the chromebook and see if it likes one clause but not both.  I don't think it would be able to tell that combo is invalid, but this would help determine if its this expression that is the problem or that any user-agent header test that is the problem.

 

Issue 2)  One are your users connecting by web browser OR Citrix Workspace app client?  And you will be unlikely to distinguish the os/browser if the Citrix Workspace is in use. We probably have to go back to the original problem you are trying to solve and then see if there's another way to do what you want.

Link to comment
Share on other sites

Hello and thanks for your answers

First - thiss is a Secure Private Access Advanved setup, so it´s only AAA virtual server and no gateway, that is handled by Citrix cloud. And is licensed directly to Citrix on Enterprise level

 

What am I trying to do - I have an EPA scan that uses LDAP for trusted devices and SAML for untrusted. Works like a charm

But, for devices that dont have EPA scan agent I want to point them directly to LDAP if we think the OS is "secure", like ChromeOS

 

I have done a "Advanced Policy" that have action type "LDAP" and Action "DC-1" that is my working LDAP connection (and not copied so we are 100% that it´s work, we use that in many other policys)

The expression is, only to test for now, "true" - with other word, as we see it, if this policy is bind at the lowest level it should do a LDAP authentication

 

So on my AAA virtual server I add a policy binding with the policy above, and bind that at priority 60 (which is the lowest)

 

When I try to "Bind" . I get "Policy cannot be bound to specified policy label" -  what am I doing wrong?

Link to comment
Share on other sites

  • 9 months later...
On 9/16/2022 at 1:01 AM, Kent Soumlderlund said:

Hello and thanks for your answers

First - thiss is a Secure Private Access Advanved setup, so it´s only AAA virtual server and no gateway, that is handled by Citrix cloud. And is licensed directly to Citrix on Enterprise level

 

What am I trying to do - I have an EPA scan that uses LDAP for trusted devices and SAML for untrusted. Works like a charm

But, for devices that dont have EPA scan agent I want to point them directly to LDAP if we think the OS is "secure", like ChromeOS

 

I have done a "Advanced Policy" that have action type "LDAP" and Action "DC-1" that is my working LDAP connection (and not copied so we are 100% that it´s work, we use that in many other policys)

The expression is, only to test for now, "true" - with other word, as we see it, if this policy is bind at the lowest level it should do a LDAP authentication

 

So on my AAA virtual server I add a policy binding with the policy above, and bind that at priority 60 (which is the lowest)

 

When I try to "Bind" . I get "Policy cannot be bound to specified policy label" -  what am I doing wrong?

Hi Kent, were you able to find a solution for this?

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...