Jump to content
Welcome to our new Citrix community!

nFactor - EPA - Quarantine Group Issue - Authentication Terminates Prematurely

Paul Cross

Recommended Posts



Having an odd issue which I'm 99% sure is a bug but wanted to see if anyone else has noticed it. I have setup a simple Citrix Gateway that uses a AAA vServer to perform authentication using nFactor. EPA scan is run first followed by user LDAP logon.


If a domain joined machine attempts to log on then all works as expected. The problem occurs if the machine isn't domain joined, the EPA check fails and does add the user to the quarantine group as expected but the next factor policy is not actioned. It's terminating authentication. It then applies the session policy as an anonymous user.


This is clearly not correct. Citrix own documentation says:


EPA – Quarantine: If at a given factor, all client device check expressions from all actions fail, and if the last action contains “Quarantine group”, that group is added to the session and the nextFactor is looked into. That is, despite the failure, the presence of the “quarantine group” qualifies the session to the next stage. However, due to the inheritance of a special group, the administrator can relegate the session to restricted access or extra authentication policies like OTP or SAML.

If there is no quarantine group at the last action, authentication terminates in a failure.


Has anyone else noticed this? I know this used to work as I've deployed it numerous times without issue. I tried the latest 12.1 and 13.1 builds and both do the same thing.


For info, this is the EPA action:





Link to comment
Share on other sites

  • 9 months later...

It's still broken doing the same thing. You can work around it but it's messy and we shouldn't have to.


What I did was use a standard EPA policy, with no admin or quarantine groups assigned, then use noauth policies to manually assign a Group to the user in the next factor. You can then apply session policies in the same way. Does the same thing.... messy though!









Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...