Jump to content
Welcome to our new Citrix community!

Citrix ADC 13.0.84.11 - nFactor MFA logic question


Recommended Posts

Greetings Citrix experts!

 

We are redesigning our Citrix gateway MFA to allow both push notifications or manual OTP entries. I have this working in a test environment, but need some guidance on how nFactor could handle a certain scenario.

 

Scenario:  Some users will have an OTP code and others will use push notifications on their MFA app. The push notification service is down and those users need to revert back to OTP at least temporarily. 

 

Since nFactor decides the authentication method (push vs. OTP) based on AD group, I am not sure of how a push-based user could switch back to OTP without us changing their AD group.

 

The login schema I'm using in this POC is the DualAuthPushOrOTP.xml form, which includes a check box for "Enter OTP manually".  This works great for those who are in the OTP manual entry group. 

 

Is there some way to extend the OTP entry to users in the push AD group without having to change them to the OTP group? 

 

Wasn't sure if there was some logic in the nFactor flows that could handle this or perhaps an advanced expression.  I'm still relatively new to the nFactor feature, so perhaps there's a better way to handle the flow?

 

Thanks in advance for any insight someone could provide!

Link to comment
Share on other sites

Hello Keith,

 

just to clarify, you're talking about Citrix OTP and Citrix PushOTP? I think this should work if you're differencing the ad-attributes. Create two new attribues in your ad and use one for PushOTP registration and the other for manual OTP. You can control the different login schema when using an expression like AAA.USER.ATTRIBUTE(5).CONTAINS("#@") (where 5 is one of the mentioned attributes, previously extracted with a non-auth group extraction ldap rule).

 

But this will not achieve your goal, as if the Push service is down, your push users aren't able to use manual OTP. I would be happy to know if there's such a auto-failover, but when using manual OTP with PushOTP, I always used the DualAuthPushOrOTP LoginSchema, too and the Users are briefed to enable the checkbox "Enter OTP manually" when NOT using PushOTP...

 

Regards

Julian

  • Like 2
Link to comment
Share on other sites

  • 3 weeks later...
On 10/11/2022 at 5:01 PM, Julian Jakob said:

Hello Keith,

 

just to clarify, you're talking about Citrix OTP and Citrix PushOTP? I think this should work if you're differencing the ad-attributes. Create two new attribues in your ad and use one for PushOTP registration and the other for manual OTP. You can control the different login schema when using an expression like AAA.USER.ATTRIBUTE(5).CONTAINS("#@") (where 5 is one of the mentioned attributes, previously extracted with a non-auth group extraction ldap rule).

 

But this will not achieve your goal, as if the Push service is down, your push users aren't able to use manual OTP. I would be happy to know if there's such a auto-failover, but when using manual OTP with PushOTP, I always used the DualAuthPushOrOTP LoginSchema, too and the Users are briefed to enable the checkbox "Enter OTP manually" when NOT using PushOTP...

 

Regards

Julian

 

Hello Julian,

Thanks for your reply, and your helpful suggestions!

 

We are actually using SecurID OTP and Push. 

 

I was finally able to get this working in a lab scenario by using the nFlow visualizer tool. 

 

I set a condition on the push factor to flow to the OTP factor, if push failed. I verified this by letting the push notification time-out. It did properly flow to OTP, but  unfortunately not consistently.

 

Thankfully, we discovered a setting on the SecurID-side, that allows all users to make a choice of whether to use push or OTP. This has integrated nicely with the ADC gateway so far.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...