With Client Authentication enabled on an SSL virtual server, the NetScaler appliance asks for the Client Certificate during the SSL handshake. The appliance checks the certificate presented by the client for normal constraints, such as the issuer signature and expiration date. Here are some use cases:

• Require a valid Client Certificate before website content is displayed. This restricts website content to only authorized machines and users.
• Request a valid Client Certificate. If a valid Client Certificate is not provided, then prompt the user for Multi-Factor Authentication.

• If Mandatory, if the SSL Client does not transmit a valid Client Certificate, then the connection is dropped. Valid means: signed/issued by a specific Certificate Authority, and not expired or revoked.
• If Optional, then NetScaler requests the client certificate, but proceeds with the SSL transaction even if the client presents an invalid certificate or no certificate. This is useful for authentication scenarios (e.g. require two-factor authentication if a valid Client Certificate is not provided)