Nfactor support is planned for future releases of IOS Workspace. Meanwhile,by altering the configuration slightly on the AAA Vserver on Citrix Gateway i.e. for IOS Workspace clients - evaluate the passcode (OTP) first then followed by LDAP Credentials, we can solve this issue. Please follow the steps below from GUI.
Pre-Requisites:1. Native OTP should be configured and working (i.e. Tested via Browser / Citrix Workspace for Windows / Citrix Workspace for Android)
https://docs.citrix.com/en-us/netscaler-gateway/12/native-otp-support.html
2. identify the AAA Vserver used for Native OTP
If you followed the above configuration example: this it would be "authvs"
3. Identify the policy for LDAP Auth - this is the one bound to the LDAP Action with Authentication Enabled (Note - Authentication is enabled by default)
If you followed the above configuration example: this it would be "auth_pol_ldap_logon"
4. Identify the ldap action for OTP Verify - this is the ldap action with Auth Disabled
If you followed the above configuration example: this it would be "ldap_otp_action"
5. Identify the Gateway Session policy and profile for Receivers ensure the plugin-type is set to "Java"
Configuration:Section1: Create a policy for OTP Verification for IOS Workspace Clients (Factor1)
- Navigate to: Security ==>AAA - Application Traffic==>Policies==>Authentication==>Advanced Policies==>Authentication Policies ==> ADD
- Name: IOS_WORKSPACE_Factor1
- Action Type: LDAP
- Action: ldap_otp_action (as noted in
- Expression: HTTP.REQ.HEADER("User-Agent").CONTAINS("CitrixReceiver") && HTTP.REQ.HEADER("User-Agent").CONTAINS("IOS")
- Click OK
Section2: Create a policy label for LDAP Credential Verification (Factor2)
- Navigate to: Security ==>AAA - Application Traffic==>Policies==>Authentication==>Advanced Policies==>Authentication Policy Labels ==> ADD
Name: Plabel_LDAP_AUTH
Schema: "LSCHEMA_INT",
- Click on Continue
- In the policy binding section Click on "Click to Select" and from the list select the policy for LDAP Auth (in this case "auth_pol_ldap_logon", as noted in #3 in prerequisites)
- Click on Bind
Section3: Bind Factor1 with next Factor as Factor2 on AAA Vserver
- Navigate to: Security ==> AAA - Application Traffic ==> Authentication Virtual Servers
- Select the auth vserver (in this case "authvs") and hit EDIT
- Click on "Authentication Policy", this will bring up the list of Authentication policies bound to the AAA Vserver, make a note of the lowest priority no
- Click on ADD Binding
Click on the "Select Policy Section", and from the list select the policy created in Section1 i.e. IOS_WORKSPACE_Factor1
Set Priority to a lower no than then lowest priority number noted above
Set Goto Expression to "END"
Click on the "Select Next Factor" option, and from the list select the policy label created in Section2 i.e. "Plabel_LDAP_AUTH"
- Click Bind.
- Close the AuthPolicy list and hit Done
Problem Cause
IOS Workspace Client do not support nfactor as of publishing this article. It therefore demonstrate a known Workspace / Receiver behavior of sending password and passcode in reverse order, the nfactor flow therefore fails as it ends up sending the passcode to LDAP (first factor) not the password.