Note: According to RFC6176 from Internet Engineering Task Force (ITEF), TLS servers must not support SSLv2. The NetScaler appliance does not support SSLv2 from release 12.1.

This article describes following scenario:

1. 1st factor is configured for either Certificate or LDAP Authentication.

2. If a user fails to present Certificate for Authentication, there is an option to fall down to LDAP Authentication.

3. Only a single Authentication vserver is needed to configure both.

This section describes these steps in detail. The first section briefly introduces the entities that are encountered in this document, and in general for nFactor authentication. The next section pictographically demonstrates the flow. The following sections have example “LoginSchema” that can be used to realize the logon form, and the relevant configuration.

Entities used in nFactor

LoginSchema

Login Schema is an XML construct that is aimed at providing sufficient information to the UI tier so that it can generate user interface based on the information that is sent in this XML blob. LoginSchema is a logical representation of logon form in XML medium.

It can be added as:
add authentication loginSchema <name> -authenticationSchema <XML-Blob> -userExpression <Expression> ­-passwordExpression <Expression>

where authenticationSchema is a well-structured XML that defines the way login form is rendered. UserExpression is used to extract username from login attempt. Likewise passwordExpression is used to extract password.

Authentication Policylabel

Auth Policy label is a collection of authentication policies for a particular factor.  It is recommended that these are pseudo-homogenous policies, which means, the credentials received from user apply to all the policies in the cascade. However, there are exceptions to this when a fallback option is configured or feedback mechanism is intended.

Authentication policy labels constitute secondary/user-defined factors. With nFactor, there’s no single “secondary” cascade. There could be “N” secondary factors based on configuration. There could be as many policy labels as desired and the number of factors for a given authentication is defined by the longest sequence of policylabels beginning with the vserver cascade.

When an authentication policy is bound to authentication vserver, specify nextFactor, which represents a policylabel/factor that would be taken if the policy succeeds. Likewise, when policies are bound to policylabels, nextFactor specifies the next policylabel to continue if the policy succeeds.

It can be added as:
add authentication policylabel <name> -loginSchema <loginSchemaName>

Where, loginSchemaName will be the login schema that we want to associate with this authentication factor.

We can bind authentication policies to this label:
bind authentication policylabel <name> -policy LDAP –priority 10 –nextfactor <nextFactorLabelName>

Use Case Description

1. User accesses TM vserver and he is redirected to Authentication vserver.

2. If User Certificate is present in the client device, he will see a prompt as below to select the certificate for authentication:

   

3. Upon selecting the appropriate certificate, user will be authenticated and granted access to backend resource.

4. Now in case if user Certificate is absent, then user will see a login page for LDAP authentication as below and on submitting the user credentials, he will be authenticated and granted access to backend resource.

   

Users see a login page with Username and Password field. The fields such as labels for username and password can be customized.

Here’s the example used for this specific representation of logon form:

<?xml version="1.0" encoding="UTF-8"?>
<AuthenticateResponse  xmlns="http://citrix.com/authentication/response/1" >
<Status >success </Status>
<Result >more-info</Result>
<StateContext/>
<AuthenticationRequirements>
<PostBack> /nf/auth/doAuthentication.do</PostBack >
<CancelPostBack>/Citrix/Authentication/ExplicitForms/CancelAuthenticate</CancelPostBack>
<CancelButtonText>Cancel</CancelButtonText>
<Requirements>
<Requirement><Credential><ID>login</ID><SaveID>ExplicitForms-Username</SaveID><Type>username</Type></Credential><Label><Text>Enter Login Name:</Text><Type>plain</Type></Label><Input><AssistiveText>Please supply either username as saamaccountname</AssistiveText><Text><Secret>false</Secret><ReadOnly>false</ReadOnly><InitialValue></InitialValue><Constraint>.+</Constraint></Text></Input></Requirement>
<Requirement><Credential><ID>passwd</ID><SaveID>ExplicitForms-Password</SaveID><Type>password</Type></Credential><Label><Text>Password:</Text><Type>plain</Type></Label><Input><Text><Secret>true</Secret><ReadOnly>false</ReadOnly><InitialValue></InitialValue><Constraint>.+</Constraint></Text></Input></Requirement>
<Requirement><Credential><Type>none</Type></Credential><Label><Text> Hello , Please submit password to continue Login ...</Text><Type>confirmation</Type></Label><Input /></Requirement>
</Requirements>
</AuthenticationRequirements>
</AuthenticateResponse>

All the customizable portions of the logon form are highlighted here. Administrators can modify these values to suit their needs.

nFactor Flow Presentation

Policies for this use-case

add lb vserver lb_ssl SSL 10.217.28.166 443 -persistenceType NONE -cltTimeout 180 -AuthenticationHost auth.aaatm.com -Authentication ON -authnVsName avn
add authentication vserver avn SSL 10.217.28.167 443 -AuthenticationDomain aaatm.com
bind authentication vserver avn -policy <Certificate Auth Policy> -priority 1 -gotoPriorityExpression NEXT
bind authentication vserver avn -policy <LDAP Auth Policy> -priority 2 -gotoPriorityExpression NEXT

The preceding configuration describes adding a TM vserver for resource access, adding Authentication vserver for securing TM vserver, and relevant policies for this use-case. Portions highlighted in “yellow” are to replaced with appropriate authentication policies by the administrators. 

The GOTO Priority expression by default is NEXT, so that we fall down to the next policy if it fails. 

Certificate and LDAP Policy Configuration

The following is an examples of certificate and LDAP policy configuration:
add authentication certAction ca -userNameField SubjectAltName:PrincipalName
add authenticationpolicy cert -rule true -action ca

add authentication ldapAction ldap-new -serverIP 10.217.28.180 -ldapBase "cn=users,dc=aaatm,dc=com" -ldapBindDn administrator@aaatm.com -ldapBindDnPassword 1.linux -ldapLoginName sAMAccountName -groupattrName memberof -subAttributeName CN
add authenticationpolicy ldap-new -rule true -action ldap-new
 

Configuration Through Visualizer

1. Go To Security > AAA-Application Traffic > nFactor Visualizer > nFactor Flow and click on Add
2.  Click on the + sign to add the nFactor Flow

3. Add Factor, this will be the name of the nFactor Flow

4. No schema needs to be selected for this configuration as the Cert Authentication doesn't require a login schema and if the Authentication falls back to LDAP, the default login page is used.

5. Click on Add Policy and then Add after Choosing the Cert Authentication Policy

For more information on Client Cert Authentication see, CTX205823

6. Click on the blue plus sign below the Cert_Policy just selected to add LDAP Authentication Policy

7. Select the LDAP_Policy and then Add

For more information on creating LDAP Authentication see, Configuring LDAP Authentication

8.  Click on Done this will automatically save the configuration.
9. Select the nFactor Flow just created and bind it to a AAA Virtual Server by clicking on Bind to Authentication Server and then Create
 

NOTE: Bind and Unbind the nFatctor Flow through he option given in nFactor Flow under Show Bindings only.

To unbind the nFactor Flow:

1. Select the nFactor Flow and Click on Show Bindings
2. Select the Authentication VServer and Click Unbind

Important ns.log Messages

1. For the case when Certificate is absent:

ClientVersion TLSv1.2 - CipherSuite "AES-256-CBC-SHA SSLv2 Non-Export 256-bit" - Session New -NO_CLIENT_CERT-
Jul 30 21:08:50 <local0.debug> 127.0.0.2 07/30/2015:21:08:50 GMT  0-PPE-2 : default AAA Message 437 0 :  "NFactor: Cert Auth: certificate is absent, falling back nFactor login"
Jul 30 21:08:50 <local0.debug> 127.0.0.2 07/30/2015:21:08:50 GMT  0-PPE-2 : default AAATM Message 438 0 :  "LoginSchema policyeval did not return an active policy"
Jul 30 21:08:50 <local0.debug> 127.0.0.2 07/30/2015:21:08:50 GMT  0-PPE-0 : default SSLLOG SSL_HANDSHAKE_SUCCESS 524 0 :  SPCBId 568 - ClientIP 10.252.112.163 - ClientPort 54500 - VserverServiceIP 10.217.28.167 - VserverServicePort 443 - ClientVersion TLSv1.2 - CipherSuite "AES-256-CBC-SHA SSLv2 Non-Export 256-bit" - Session New
Jul 30 21:09:11 <local0.debug> 127.0.0.2 07/30/2015:21:09:11 GMT  0-PPE-2 : default SSLVPN Message 439 0 :  "core 2: ns_get_username_password: loginschema gleaned is default "
Jul 30 21:09:11 <local0.debug> 127.0.0.2 07/30/2015:21:09:11 GMT  0-PPE-2 : default SSLVPN Message 440 0 :  "aaad_authenticate_req: copying policylabel name avn to aaa info, type 33 for auth "
Jul 30 21:09:11 <local0.debug> 127.0.0.2 07/30/2015:21:09:11 GMT  0-PPE-2 : default SSLVPN Message 441 0 :  "sslvpn_extract_attributes_from_resp: attributes copied so far are user11.citrix "
Jul 30 21:09:11 <local0.debug> 127.0.0.2 07/30/2015:21:09:11 GMT  0-PPE-2 : default SSLVPN Message 442 0 :  "sslvpn_extract_attributes_from_resp: total len copied 23, mask 0x5 "
Jul 30 21:09:11 <local0.debug> 127.0.0.2 07/30/2015:21:09:11 GMT  0-PPE-2 : default AAATM Message 443 0 :  "SAMLIDP: Checking whether current flow is SAML IdP flow, input aHR0cDovL25zc3AuYWFhdG0uY29tL3Rlc3RtZS5odG1s"
Jul 30 21:09:11 <local0.debug> 127.0.0.2 07/30/2015:21:09:11 GMT  0-PPE-2 : default AAATM Message 444 0 :  "Invaid tass cookie while checking whether current authentication is due to idp functionality: aHR0cDovL25zc3AuYWFhdG0uY29tL3Rlc3RtZS5odG1s "
Jul 30 21:09:11 <local0.info> 127.0.0.2 07/30/2015:21:09:11 GMT  0-PPE-2 : default AAA EXTRACTED_GROUPS 445 0 :  Extracted_groups "grp1,grp2,grp3,Group2,group1"

2. For the case when Certificate is present:

Jul 30 21:10:36 <local0.debug> 127.0.0.2 07/30/2015:21:10:36 GMT  0-PPE-2 : default SSLLOG SSL_HANDSHAKE_SUCCESS 452 0 :  SPCBId 596 - ClientIP 10.217.28.185 - ClientPort 57227 - VserverServiceIP 10.217.28.167 - VserverServicePort 443 - ClientVersion TLSv1.2 - CipherSuite "AES-256-CBC-SHA SSLv2 Non-Export 256-bit" - Session Reuse
Jul 30 21:11:02 <local0.debug> 127.0.0.2 07/30/2015:21:11:02 GMT  0-PPE-0 : default SSLLOG SSL_HANDSHAKE_SUCCESS 539 0 :  SPCBId 578 - ClientIP 10.217.28.185 - ClientPort 57226 - VserverServiceIP 10.217.28.167 - VserverServicePort 443 - ClientVersion TLSv1.2 - CipherSuite "AES-256-CBC-SHA SSLv2 Non-Export 256-bit" - Session New- CLIENT_AUTHENTICATED -SerialNumber "140000000FAED08CAE9B092FEF00000000000F" - SignatureAlgorithm "sha1WithRSAEncryption" - ValidFrom "Mar 13 21:05:01 2015 GMT" - ValidTo "Mar 12 21:05:01 2016 GMT"
Jul 30 21:11:02 <local0.debug> 127.0.0.2 07/30/2015:21:11:02 GMT  0-PPE-0 : default SSLLOG SSL_HANDSHAKE_ISSUERNAME 540 0 :  SPCBId 578 - IssuerName " DC=com,DC=aaatm,CN=aaatm-DC-CA-1"
Jul 30 21:11:02 <local0.debug> 127.0.0.2 07/30/2015:21:11:02 GMT  0-PPE-0 : default SSLLOG SSL_HANDSHAKE_SUBJECTNAME 541 0 :  SPCBId 578 - SubjectName " DC=com,DC=aaatm,CN=Users,CN=user2"
Jul 30 21:11:02 <local0.debug> 127.0.0.2 07/30/2015:21:11:02 GMT  0-PPE-0 : default AAA Message 542 0 :  "NFactor: Successfully completed cert auth, nextfactor is "
Jul 30 21:11:02 <local0.info> 127.0.0.2 07/30/2015:21:11:02 GMT  0-PPE-0 : default AAATM LOGIN 543 0 : Context users@10.217.28.185 - SessionId: 37- User users - Client_ip 10.217.28.185 - Nat_ip "Mapped Ip" - Vserver 10.217.28.167:443 - Browser_type "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0" - Group(s) "N/A"
Jul 30 21:11:02 <local0.debug> 127.0.0.2 07/30/2015:21:11:02 GMT  0-PPE-0 : default SSLVPN Message 544 0 :  "core 0: initClientForReuse: making aaa_service_fqdn_len 0 "