This article describes how to configure NetScaler Gateway for nFactor authentication with pre-auth and post-auth EPA scans.

Introduction

Multi-factor authentication enhances the security of an application by requiring users to provide multiple proofs of identify to gain access. The NetScaler appliance provides an extensible and flexible approach to configuring multi-factor authentication. This approach is called nFactor authentication.

On NetScaler Gateway, End Point Analysis (EPA) can be configured to check if a user device meets certain security requirements and accordingly allow access of internal resources to the user. The Endpoint Analysis Plug-in downloads and installs on the user device when users log on to NetScaler Gateway for the first time. If a user does not install the Endpoint Analysis Plug-in on the user device or chooses to skip the scan, the user cannot log on with the NetScaler Gateway Plug-in. Optionally, user can be put in a quarantine group where (s)he gets limited access to internal network resources.

In this article, we will try to use EPA scan as an initial check in a nFactor or multi factor authentication, followed by login and EPA scan as a final check. As an example, we will try to implement the following logic.

User connects to NetScaler Gateway Virtual IP. An EPA scan is initiated. If EPA scan is successful user is rendered with login page with username and password fields for LDAP or AD (Active Directory) based authentication. Based on the success of the user provided credentials, user is redirected to the next EPA factor.

To implement this logic, post EPA: 

1. If scan is successful user is placed or tagged to a default user group.

2. The next method of authentication ( LDAP) is chosen

3. Based on the result of authentication, the user is presented with next set of scan.

Pre-requisites

It is assumed that following configuration are in place.

• VPN Vserver/Gateway and Authentication Vserver configurations
• AAA user groups (for default & quarantined user groups) and associated policies
• LDAP configurations and associated policies.

Instructions

Configuration Steps

CLI configurations steps:

1. Create an action to perform EPA scan and associate it with an EPA scan policy
   
   add authentication epaAction FirstEPA-client-scan –csecexpr “sys.client_expr(\"os_0_win7_sp_1\")" -defaultEPAGroup default_group
   Just as an example, the above expression scans if Windows 7 users have Service pack 1 installed. default_group is a pre-configured user group.
   
   add authentication Policy FirstEPA-check -rule true -action FirstEPA-client-scan

2. Configure ldap-auth policy and associate it with a LDAP policy which is configured to authenticate with a particular LDAP server.
   
   add authentication Policy ldap-auth -rule true -action ldap_server1
   ldap_server1 is LDAP policy and ldap-auth is policy name

3. Configure Policy label epa-usergroup-check, with Loginschema to capture single factor username and password.
   
   add authentication policylabel epa-usergroup-check -loginSchema LSCHEMA_INT -
   
   Note: Replace with the schema you need, in case you do not want to use inbuilt schema LSCHEMA_INT 

4. Associate the policy configured in step 2 with policy label configured in step 3.
   
   bind authentication policylabel epa-usergroup-check -policyName ldap-auth -priority 100 -gotoPriorityExpression END -nextFactor post-epa-scan
   
   Here END indicates end of authentication mechanism for that leg and –nextFactor, as the name represents, indicates the next factor following authentication.

5. Create an action to perform the next EPA scan and associate it with an EPA scan policy.
   
   add authentication epaAction SecondEPA-client-scan -csecexpr "sys.client_expr(sys.client_expr(\"proc_0_firefox\")"
   
   Just as an example, the above expression scans if the Firefox process is running on the client machine.
   
   add authentication Policy SecondEPA-check -rule true -action EPA-client-scan

6. Configure Policy label post-epa-scan, which will host the policy for EPA scan.
   
   add authentication policylabel post-epa-scan -loginSchema LSCHEMA_INT
   
   Note: LSCHEMA_INT is inbuilt schema with no schema (noschema), meaning no additional webpage is presented to user at this step.

7. Associate policy configured in step 6 with policy label configured in step 7.
   
   bind authentication policylabel post-epa-scan -policyName postEPA-check - priority 100 -gotoPriorityExpression END
   
   Here END indicates end of authentication mechanism.

8. Bringing it all together, associate EPA scan policy to AAA vserver with next step pointing to policy label post-epa-usergroup-check  to perform next step in authentication
   
   bind authentication vserver MFA_AAA_vserver -policy FirstEPA-check -priority 100 -nextFactor epa-usergroup-check -gotoPriorityExpression NEX

Additional Resources

• CTX222713 - Concepts, Entities and Terms used for nFactor Authentication through NetScaler
• CTX108876 - How to Configure LDAP Authentication on NetScaler or NetScaler Gateway