Use-Case: Certificate Authentication followed by Group Extraction for 401 enabled LoadBalanced/TrafficManagement virtual server.
This document describes following scenario:

1. Administrator configures  Certificate Authentication  in first factor
2. And Configures the Second Factor for LDAP group Extraction.

These steps are described in detail below. The first section briefly introduces the entities that are encountered in this document, and in general for nFactor authentication. The next section pictographically demonstrates the flow. The following sections have example “LoginSchema” that can be used to realize the logon form, and the relevant configuration. Upon successful evaluation of 401 credentials, users cannot be presented with 401 again if subsequent factors are configured. This causes confusion as the user would not be able to identify whether 401 prompt is the due to the failure of first authentication or due to the presence of a subsequent factor. Hence, the only loginschema applicable to 401  nfactor is noschema.

Entities used in nFactor:

LoginSchema:

Login Schema is an XML construct that is aimed at providing sufficient information to the UI tier so that it can generate user interface based on the information that is sent in this XML blob. LoginSchema is a logical representation of logon form in XML medium.

It can be added as:

add authentication loginSchema <name> -authenticationSchema <XML-Blob> -userExpression <Expression> ­-passwordExpression <Expression>

where authenticationSchema is a well-structured XML that defines the way login form is rendered. UserExpression is used to extract username from login attempt. Likewise passwordExpression is used to extract password.

Authentication Policylabel:

Auth Policy label is a collection of authentication policies for a particular factor.  It is recommended that these are pseudo-homogenous policies, which means, the credentials received from user apply to all the policies in the cascade. However, there are exceptions to this when a fallback option is configured or feedback mechanism is intended.
Authentication policy labels constitute secondary/user-defined factors. With nFactor, there is no single “secondary” cascade. There could be “N” secondary factors based on configuration. There could be as many policy labels as desired and the number of factors for a given authentication is defined by the longest sequence of policylabels beginning with the vserver cascade.

When we bind an authentication policy to authentication vserver, we specify nextFactor, which represents a policylabel/factor that would be taken if the policy succeeds. Likewise, when policies are bound to policylabels, nextFactor specifies the next policylabel to continue if the policy succeeds.

It can be added as:

add authentication policylabel <name> -loginSchema <loginSchemaName>

Where, loginSchemaName will be the login schema that we want to associate with this authentication factor.

We can bind authentication policies to this label.

Bind authentication policylabel <name> -policy LDAP –priority 10 –nextfactor <nextFactorLabelName>

Use-case description:

1. User accesses TM vserver and he is redirected to Authentication vserver.

2. If User Certificate is present in the client device, it will be presented to the user as below.

   

3. After user certificate is submitted, authentication proceeds to next factor. This factor is configured as “passthrough”. Pass-through implies that Netscaler would continue authentication with existing credentials without asking user for new set of credentials. In the current use-case, this “passthrough” factor is configured with ldap group extraction with  authentication disabled. User Administrator can check for the groups extracted in ns.log as shown in the ns.log output section.

Policies for this use-case:

1. TM and Auth vserver configuration:
   add lb vserver lbssl SSL 10.102.42.32 443 -persistenceType NONE -cltTimeout 180 -AuthenticationHost auth1.aaatm-test.com -authn401 ON -authnVsName auth1
   set ssl vserver lbssl  -clientAuth ENABLED -clientCert Mandatory
   or
   set ssl parameter –denysslrenegotiation NO
   add authentication vserver auth1 SSL 10.102.42.30 443 -AuthenticationDomain aaatm-test.com

2. Cert policy in first factor bound to Auth vserver:
   add authentication certAction cact -userNameField SubjectAltName:PrincipalName
   add authentication Policy certadvpol -rule true -action cact
   bind authentication vserver auth1 -policy certadvpol -priority 1 -nextFactor certldaplabel -gotoPriorityExpression NEXT

3. 2nd factor configuration:
   The second factor is configured for ldap group extraction for the username field extracted from certificate. In the example configuration, it is extracted from UserprincipalName field of the certificate. This factor will be a passthrough with loginschema as “noschema”.
   add authentication ldapAction ldapgrp -serverIP 10.102.221.22 –secType SSL -serverPort 636 -ldapBase "dc=aaatm-test,dc=com" -ldapBindDn administrator@aaatm-test.com -ldapBindDnPassword freebsd -ldapLoginName userprincipalName -groupAttrName memberOf -subAttributeName CN -authentication DISABLED
   add authentication Policy <ldapgrpol> -rule true -action ldapgrp
   add authentication policylabel certldaplabel -loginSchema noschema
   bind authentication policylabel certldaplabel -policyName ldapgrpol -priority 1 -gotoPriorityExpression NEXT
   Above configuration describes adding a TM vserver for resource access, adding Authentication vserver for securing TM vserver, and relevant policies for this use-case.  Portions in “red” describe the proposed rules to pick a particular authentication policy for next factor selection

The above nFactor config on Step 2 and 3 can also be performed using the nFactor Visualizer which is a new feature that is available starting 13.0 firmware onward,

Complete Flow:

 

1. Go To Security > AAA-Application Traffic > nFactor Visualizer > nFactor Flow and click on Add
2. Click on the + sign to add the nFactor Flow
   
   
3. Add Factor, this will be the name of the nFactor Flow

Click on Create.
 

4. Click on “Add Policy” to add the Certificate authentication policy.

In case policy exists then select the same from the drop down list, if none exist then click on Add and create the below policy,


Cert Authentication Action:





Click on Create and then click on Add.
 

5. Click on the green + sign on the right of Certificate authentication policy to add the second factor for the group extraction

Click on Create.
 

6. Click on “Add policy” to add the group extraction policy, the action or the LDAP server in policy needs to configured to use UserPrincipalName,

Click on Create and then Click on Add.

Click on Done.
 

7. Select the nFactor flow to bind it to an Authentication Vserver,

Important Ns.log messages seen during this case:

Jul 31 04:37:59 <local0.debug> 127.0.0.2 07/31/2015:04:37:59 GMT  0-PPE-0 : default SSLLOG SSL_HANDSHAKE_SUBJECTNAME 785 0 :  SPCBId 519 - SubjectName " DC=com,DC=aaatm-test,CN=Users,CN=user1"
Jul 31 04:37:59 <local0.debug> 127.0.0.2 07/31/2015:04:37:59 GMT  0-PPE-0 : default AAATM Message 786 0 :  "nFactor: CERTAUTH: auth complete; next factor configured is certldaplabel"
Jul 31 04:37:59 <local0.debug> 127.0.0.2 07/31/2015:04:37:59 GMT  0-PPE-0 : default AAATM Message 787 0 :  "nFactor: certauth complete; next factor configured is certldaplabel is passthrough for user1@aaatm-test.com, ignoring authorization header"
Jul 31 04:37:59 <local0.debug> 127.0.0.2 07/31/2015:04:37:59 GMT  0-PPE-0 : default SSLVPN Message 788 0 :  "aaad_authenticate_req: copying policylabel name certldaplabel to aaa info, type 65 for auth "
Jul 31 04:37:59 <local0.info> 127.0.0.2 07/31/2015:04:37:59 GMT  0-PPE-0 : default AAA EXTRACTED_GROUPS 789 0 :  Extracted_groups "grp10"
Jul 31 04:37:59 <local0.info> 127.0.0.2 07/31/2015:04:37:59 GMT  0-PPE-0 : default AAATM LOGIN 790 0 : Context user1@aaatm-test.com@10.102.229.222 - SessionId: 4- User user1@aaatm-test.com - Client_ip 10.102.229.222 - Nat_ip "Mapped Ip" - Vserver 10.102.42.32:443 - Browser_type "Mozilla/5.0 (Windows NT 6.0; rv:39.0) Gecko/20100101 Firefox/39.0" - Group(s) "N/A"

 

nfactor - Certificate Authentication Followed by Group Extraction for 401 Enabled LB/TM Virtual Server on NetScaler.