[NetScaler] LDAP password can be changed with an incorrect Radius Passcode
Article ID: CTX489566
Updated On:
Description
Below is an example of common 2Factor authentication flow:
Root factor: Start Login Schema XML = /nsconfig/loginschema/LoginSchema/DualAuth.xml Adv Authn Policy = LDAP_Pol Rule = true Action = LDAP_Act Next Factor if Success = Radius_Factor Login Schema Profile = LSCHEMA_INT Adv Authn Policy = Radius_Pol Rule = true Action = Radius_Act
If user's LDAP password is expired and needs to be changed in next logon. It'll succeed even with an incorrect passcode. That may not be an expected behavior for you.
Note: Whole authentication flow will fail because Radius passcode is not correct. Only LDAP password changing will succeed.
Resolution
Change the nFactor flow as the following:
Root factor: Start
Login Schema XML = /nsconfig/loginschema/LoginSchema/DualAuth.xml
Adv Authn Policy = NoAuthn_Pol
Rule = true
Action = NO_AUTHN
Next Factor if Success = Radius_Factor
Login Schema Profile = Radius_NoSchema
Login Schema XML = noschema
Passwd Expression = AAA.LOGIN.VALUE("passwd1")
Adv Authn Policy = Radius_Pol
Rule = true
Action = Radius_Act
Next Factor if Success = LDAP_Factor
Login Schema Profile = LDAP_NoSchema
Login Schema XML = noschema
Passwd Expression = AAA.LOGIN.VALUE("passwd")
Adv Authn Policy = LDAP_Pol
Rule = true
Action = LDAP_Act
Creating "noschema" profiles to get the correct "Password" or "Passcode" for each policy. Problem Cause
By design with current flow because the password change action is performed in LDAP_Act, which is before Radius_Factor.
We need to change the nFactor flow to verify Radius passcode firstly.
Was this article helpful?
Yes
No
Powered by
