Jump to content
Welcome to our new Citrix community!

Deny Gateway auth based on username

Recommended Posts


I have an AAA Gateway set up with nFactor auth flow.

I also see several 'bots' spam auth attempts all day, every day, on my device. Many of these auth attempts use a finite list of usernames that dont exist, or maybe some exist but arent set up for Gateway access.

I want to deny auth based on a self-defined list of 'bad' usernames to the point where the nFactor flow will deny before any method check, saving logs and resources towards my actual authentication servers.

Does ADC 13.1 allow for this?   


I'm hoping I can just make my list of usernames in the "Security -> AAA - Application Traffic -> Users" and put them in a Group, but I'm not sure how i would then reference this in the nFactor flow.

Link to comment
Share on other sites


I'm hoping I can just make my list of usernames in the "Security -> AAA - Application Traffic -> Users" and put them in a Group, but I'm not sure how i would then reference this in the nFactor flow.

This is actually a nice idea and you don't need to reference those accounts in a Flow, you just bind an Authorization Policy (with action == DENY) to all those users (or you can create a Group and bind the authorization policy to the group)

This policy should be evaluated before the global authorization policy, preventing access to those users


PS: This will not stop the ADC from trying to authenticate the user, to prevent this you need to operate before the authentication policy is triggered

Keep in mind that you need the user (or bot) to input (and submit) a username before you can grab and analyze that username, so a way to achieve what you want is by splitting the request for username and the request for password in 2 phases. Than you have all the time to analyze the submitted username before asking for a password.




Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...