This article contains an example to address how to extract and use customized attributes for single sign-on in nFactor Flow 

---

Instructions

Background

• Assume a use case where, admins configure dual authentication with one login schema, but the two factors' usernames are inconsistent.
  • For example, LDAP + Radius, the AD account is ctxdemo, but Radius account is 10523 that stored in AD accounts attribute.
  • Enduser input AD username and two passwords in one login page.
  • Below sceenshot is the login page for enduser

Configuration through the CLI

Please refer to this link(https://docs.citrix.com/en-us/citrix-adc/current-release/aaa-tm/configure-two-factor-auth-pass-through.html) for basic configuration steps, you just need to adjust some configuration based on this article.

1. Find an attribute in AD account to store OTP username, for example, use attribute "mobile" to store OTP username in this case.

2. Create a AAA virtual server and bind certificate to it, an AAA virtual server is required for the n-factor authentication to work:

add authentication vserver dual_auth_aaa_vserver SSL 0.0.0.0
bind ssl vserver dual_auth_aaa_vserver -certkeyName wildcard2022.pair

3. Create Authentication Policies and actions as below:

a. LDAP Authentication for 1st factor:

add authentication ldapAction 192.168.3.150 -serverName 192.168.3.150 -ldapBase "dc=ww,dc=local" -ldapBindDn administrator@ww.local -ldapBindDnPassword 2351e9b9c1a7380719591448028f8c5859e57ea050862c78c1f17800f152b719 -encrypted -encryptmethod ENCMTHD_3 -kek -suffix 2021_05_04_08_09_03 -ldapLoginName sAMAccountName -groupAttrName memberOf -subAttributeName cn -Attribute1 mobile
add authentication Policy 192.168.3.150_ldap_policy -rule true -action 192.168.3.150

Note: Specify "mobile" in Attribute 1, ADC will obtain the attribute from AD and store in user session that used for advanced expression later.

b. Radius Authentication for 2nd factor

add authentication radiusAction 192.168.3.151_radius_server -serverIP 192.168.3.151 -serverPort 1812 -radKey 054ae9ffabd0d58ad1233bd67761da630f68b3357c8cd4d48752e46ba02a9327 -encrypted -encryptmethod ENCMTHD_3 -kek -suffix 2021_05_04_08_09_03 -passEncoding mschapv2
add authentication Policy 192.168.3.151_radius_policy -rule true -action 192.168.3.151_radius_server

4. Create a Login Schema for dual authentication, the following is a sample Login Schema for your reference:

add authentication loginSchema dual_loginschema -authenticationSchema "/nsconfig/loginschema/LoginSchema/DualAuth.xml" -userCredentialIndex 2 -passwordCredentialIndex 3
add authentication loginSchemaPolicy dual_loginschema_pol -rule true -action dual_loginschema
bind authentication vserver dual_auth_aaa_vserver -policy dual_loginschema_pol -priority 100 -gotoPriorityExpression END

Note: You need to enter any number between 0 ~ 16 in "userCredentialIndex" and "passwordCredentialIndex"  to ensure the AD username/password is used for traffic policy to single sign-on storefront. In this case, "userCredentialIndex" is 2, "passwordCredentialIndex" is 3.

5. Create a Passthrough Login Schema (no schema) for 2nd factor as no further input for client in this step:

add authentication loginSchema passthrough_loginschema -authenticationSchema noschema -userExpression "AAA.USER.ATTRIBUTE(1)"

Note: The key point here is to enter "AAA.USER.ATTRIBUTE(1)" in user expression, ADC will extract the value that stored in attribute 1 as logon name for 2nd factor authentication.

6. Create Policy Label for 2nd factor with Passthrough Login Schema:

add authentication policylabel radius_policy_label -loginSchema passthrough_loginschema
bind authentication policylabel radius_policy_label -policyName 192.168.3.151_radius_policy -priority 100 -gotoPriorityExpression NEXT

7. Bind the Authentication Policies to AAA Vserver

bind authentication vserver dual_auth_aaa_vserver -policy 192.168.3.150_ldap_policy -priority 100 -nextFactor radius_policy_label -gotoPriorityExpression NEXT

8. Create authentication profile and bind it to vpn vserver:

add authentication authnProfile AAA-PROFILE -authnVsName dual_auth_aaa_vserver
add vpn vserver vpn.ww.local SSL 192.168.3.154 443 -doubleHop ENABLED -dtls OFF -downStateFlush DISABLED -Listenpolicy NONE -WindowsEPAPluginUpgrade Never -authnProfile AAA-PROFILE

9. Create traffic policy if you need to single sing-on Storefront:

add vpn trafficAction SSO-PRO http -SSO ON -userExpression "AAA.USER.ATTRIBUTE(2)" -passwdExpression "AAA.USER.ATTRIBUTE(3)"
add vpn trafficPolicy SSO-POL true SSO-PRO
bind vpn vserver vpn.ww.local -policy SSO-POL -priority 100 -gotoPriorityExpression END -type REQUEST

Note: Enter "AAA.USER.ATTRIBUTE(2)" in user expression and "AAA.USER.ATTRIBUTE(3)" in password expression, ADC will use login schema username/password attribute specified earlier for single sign-on.


 

https://docs.citrix.com/en-us/citrix-adc/current-release/aaa-tm/configure-two-factor-auth-pass-through.html
https://support.citrix.com/article/CTX200342/extract-and-use-custom-attributes-from-active-directory-for-netscaler-appliance
https://docs.citrix.com/en-us/citrix-gateway/current-release/authentication-authorization/nfactor-for-gateway-authentication.html