NetScaler nFactor with Two-Factor Authentication Does Not Function as Expected
Article ID: CTX216991
Updated On:
Description
Consider the following scenario; you have conditional two-factor authentication chain where nFactor asks for username and then does group extraction. Based on the groups present, the user is prompted for either password or two-factor authentication.
The issue here is that when the user is prompted for two-factor authentication, then enters the wrong code, they are presented with the "Bad password or code" message. But on reentering the original portal URL in the browser, the user is authenticated in-spite of entering incorrect credentials. This seems to be true no matter how you organize the different factors in the chain.
Resolution
To resolve this issue, upgrade NetScaler to 11.1 GA or 11.0 67.11 build.
Problem Cause
This is a known issue tracked with issue ID 0628662.
The AAA Authentication Cookies are set at the very beginning of first-factor authentication, hence subsequent request always carry the COOKIES which is evaluated to True and hence NetScaler succeeds with the authentication of the user.Issue/Introduction
Additional Information
