This article describes the following scenario:

1. Administrator configures a first factor with username, password and domain drop-down option.
2. User enters credentials and selects their domain.
3. Credentials arrive at Citrix ADC along with the domain.
4. Citrix ADC chooses appropriate authentication policy based on the domain information.

These steps are described in detail in the following sections. The first section briefly introduces the entities that are encountered in this article, and in general for nFactor authentication. The next section pictographically demonstrates the flow. The following sections have example "LoginSchema" that can be used to realize the logon form, and the relevant configuration.

Entities used in nFactor

LoginSchema

Login Schema is an XML construct that is aimed at providing sufficient information to the UI tier so that it can generate user interface based on the information that is sent in this XML blob. Put another way, LoginSchema is a logical representation of logon form in XML medium.

It can be added as below:
add authentication loginSchema <name> -authenticationSchema <XML-Blob> -userExpression <Expression> ­-passwordExpression <Expression>

where authenticationSchema is a well-structured XML that defines the way login form is rendered. UserExpression is used to extract username from login attempt. Likewise passwordExpression is used to extract password.

Authentication Policylabel

Auth Policy label is a collection of authentication policies for a particular factor. It is recommended that these are pseudo-homogenous policies, which means, the credentials received from user apply to all the policies in the cascade. However, there are exceptions to this when a fallback option is configured or feedback mechanism is intended.

Authentication policy labels constitute secondary/user-defined factors. With nFactor, there is no single "secondary" cascade. There could be "N" secondary factors based on configuration. There could be as many policy labels as desired and the number of factors for a given authentication is defined by the longest sequence of policylabels beginning with the virtual server cascade.
When we bind an authentication policy to authentication virtual server, we specify nextFactor, which represents a policylabel/factor that would be taken if the policy succeeds. Likewise, when policies are bound to policylabels, nextFactor specifies the next policylabel to continue if the policy succeeds.
 
It can be added as below:
add authentication policylabel <name> -loginSchema <loginSchemaName>
Where, loginSchemaName will be the login schema that you want to associate with this authentication factor.

You can bind authentication policies to this label.
bind authentication policylabel <name> -policy LDAP –priority 10 –nextfactor <nextFactorLabelName>

Use Case Description

Upon accessing the login page at authentication virtual server, users will see a logon form such as the one depicted in the next section. Once user enters their credentials along with choosing his domain, specific policies get selected on NetScaler for authentication. Each of these policies can have follow-up policies.

nFactor Flow Presentation

LoginSchema for this Use Case

Users see a drop-down with two domains. These values can be pre-filled by administrator in the loginSchema. Other fields such as labels for username and password can also be customized.

The following is an example used for this specific representation of logon form:

<?xml version="1.0" encoding="UTF-8"?>
<AuthenticateResponse xmlns="http://citrix.com/authentication/response/1">
<Status>success</Status>
<Result>more-info</Result>
<StateContext></StateContext>
<AuthenticationRequirements>
<PostBack>/nf/auth/doAuthentication.do</PostBack>
<CancelPostBack>/Citrix/Authentication/ExplicitForms/CancelAuthenticate</CancelPostBack>
<CancelButtonText>Cancel</CancelButtonText>
<Requirements>
<Requirement><Credential><ID>login</ID><SaveID>ExplicitForms-Username</SaveID><Type>username</Type></Credential><Label><Text>User name</Text><Type>plain</Type></Label><Input><AssistiveText>Please supply either d
omain\username or user@fully.qualified.domain</AssistiveText><Text><Secret>false</Secret><ReadOnly>false</ReadOnly><InitialValue></InitialValue><Constraint>.+</Constraint></Text></Input></Requirement>
<Requirement><Credential><ID>passwd</ID><SaveID>ExplicitForms-Password</SaveID><Type>password</Type></Credential><Label><Text>Password:</Text><Type>plain</Type></Label><Input><Text><Secret>true</Secret><ReadOnly
>false</ReadOnly><InitialValue></InitialValue><Constraint>.+</Constraint></Text></Input></Requirement>
<Requirement><Credential><ID>domain</ID><Type>none</Type></Credential><Label><Type>none</Type></Label><Input><ComboBox><InitialSelection>unspecified</InitialSelection><DisplayValues><DisplayValue><Display>(Selec
t a domain)</Display><Value>unspecified</Value></DisplayValue><DisplayValue><Display>AAATM.COM</Display><Value>AAATM.COM</Value></DisplayValue><DisplayValue><Display>NSI-TEST.COM</Display><Value>NSI-TEST.COM</Va
lue></DisplayValue></DisplayValues></ComboBox></Input></Requirement>
<Requirement><Credential><Type>none</Type></Credential><Label><Text> Please select domain to continue Login ...</Text><Type>confirmation</Type></Label><Input/></Requirement>
<Requirement><Credential><ID>loginBtn</ID><Type>none</Type></Credential><Label><Type>none</Type></Label><Input><Button>Log On</Button></Input></Requirement>
</Requirements>
</AuthenticationRequirements>
</AuthenticateResponse>

All  portions of the logon form are included. Administrators can modify these values to suit their needs.

NOTE: This login Schema need not be separately configured on latest builds of Citrix ADC and is present as DomainDropdown.xml

Policies for this use case

add authentication vserver demo_aaa_vserver SSL 0.0.0.0

add authentication loginSchema lschema_domain_dropdown -authenticationSchema "/nsconfig/loginschema/LoginSchema/DomainDropdown.xml"
add authentication loginSchema ldap_noschema -authenticationSchema noschema
add authentication loginSchema RADIUS_passwordonly -authenticationSchema "/nsconfig/loginschema/LoginSchema/OnlyPassword.xml"

add authentication policylabel Domain_Drop_Down__root -loginSchema lschema_domain_dropdown
add authentication policylabel _db_Domain_Check__Domain_Drop_Down -loginSchema LSCHEMA_INT
add authentication policylabel LDAP_Auth__Domain_Drop_Down -loginSchema ldap_noschema
add authentication policylabel LDAPR_Auth__Domain_Drop_Down -loginSchema ldap_noschema
add authentication policylabel RADIUS_Auth__Domain_Drop_Down -loginSchema RADIUS_passwordonly

add authentication Policy LDAP_Pol-auth -rule true -action srv_ldap_auth
add authentication Policy Dropdown_NoAuth_Pol-auth -rule true -action NO_AUTHN
add authentication Policy RADIUS_Pol_Auth -rule true -action srv_radius_auth
add authentication Policy AAATM.COM -rule "HTTP.REQ.BODY(500).AFTER_STR(\"domain=\").CONTAINS(\"AAATM.COM\")" -action NO_AUTHN
add authentication Policy NSI-TEST.COM -rule "HTTP.REQ.BODY(500).AFTER_STR(\"domain=\").CONTAINS(\"NSI-TEST.COM\")" -action NO_AUTHN
add authentication Policy _demo_aaa_vserver_Domain_Drop_Down__root_0 -rule true -action NO_AUTHN

bind authentication policylabel Domain_Drop_Down__root -policyName Dropdown_NoAuth_Pol-auth -priority 100 -gotoPriorityExpression NEXT -nextFactor _db_Domain_Check__Domain_Drop_Down
bind authentication policylabel _db_Domain_Check__Domain_Drop_Down -policyName AAATM.COM -priority 100 -gotoPriorityExpression NEXT -nextFactor LDAP_Auth__Domain_Drop_Down
bind authentication policylabel _db_Domain_Check__Domain_Drop_Down -policyName NSI-TEST.COM -priority 110 -gotoPriorityExpression NEXT -nextFactor LDAPR_Auth__Domain_Drop_Down
bind authentication policylabel LDAPR_Auth__Domain_Drop_Down -policyName LDAP_Pol-auth -priority 100 -gotoPriorityExpression NEXT -nextFactor RADIUS_Auth__Domain_Drop_Down
bind authentication vserver demo_aaa_vserver -policy _demo_aaa_vserver_Domain_Drop_Down__root_0 -priority 100 -nextFactor Domain_Drop_Down__root -gotoPriorityExpression NEXT

bind authentication vserver demo_aaa_vserver -policy _demo_aaa_vserver_Domain_Drop_Down__root_0 -priority 100 -nextFactor Domain_Drop_Down__root -gotoPriorityExpression NEXT

The preceding configuration describes adding an authentication virtual server for resource access and relevant policies for this use-case.

Configuration through Visualizer

1. Go To Security > AAA-Application Traffic > nFactor Visualizer > nFactor Flow and click on Add
2. Click on the + sign to add the nFactor Flow
  
3. Add Factor, this will be the name of the nFactor Flow

4. Add the schema for the First Factor by clicking on the Add Schema and then Add

5. Create a Domain Dropdown Schema by selecting the DomainDropdown.xml login schema

6.  Choose the Schema for First Factor created above

7. Click on Add Policy and chose the Dropdown NoAuth Policy for first authentication

For more information on creating NoAuth policies see, CTX222713

8. Click on green + sign to create a decision block

9.  Select Create decision block and add a Decision Factor Name

10. Click on Add Policy and then Add to create a policy for the domain check

11. Create a policy to check for domain, the action type would be NO_AUTHN

12. Choose the Policy created above to add in decision block

13. Click on + sign below the newly created policy to Add another policy for checking AAATM.COM

14. Create another policy to check for the second domain

15. Choose the policy created above to add in decision block

16. Select the + sign next to AAATM.COM to add factor that will be evaluated if user is a part of AAATM.COM. In this case we will add a LDAP Policy

17.  Create a schema for domain AAATM.COM users, in this example we are using  noschema because the user has already entered an LDAP username and password on the dropdown that started the flow. 

18. Select the noschema created in step 17 and click OK

19. Click Add Policy

20. Choose the ldap policy used to authenticate domain users and click add

For more information on creating LDAP policies see, CTX123782

21. Select the + sign next to NSI-TEST.COM to add factor that will be evaluated if user is a part of NSI-TEST.COM

22. Create factor for LDAP authentication for users in the NSI-TEST.COM domain

23. Click Add schema to add a schema for NSI-TEST.COM users to authenticate first with LDAP

24. Click Add schema, choose the same ldap_noschema used for AAATM.COM and click OK

25. Click Add Policy to add an ldap authentication policy for NSI-TEST.COM users

26. Choose the ldap policy used to authenticate domain users and click add

27. Click the green + sign on the LDAPR_Auth factor to create a next factor for RADIUS authentication for NSI-TEST.COM users

28. Add a new factor for RADIUS authentication and click create

29. Click Add Schema and then click Add

30. Create a password only authentication schema using the Only Password builtin schema file, then click create

31. Click Add Policy to add the RADIUS authentication policy to be used by NSI-TEST.COM users

32. Choose the RADIUS policy to be used by NSI-TEST.COM users and click Add

For more information on creating RADIUS Authentication see, Configuring RADIUS Authentication

21. Click on Done this will automatically save the configuration.

22. Select the nFactor Flow just created and bind it to a AAA Virtual Server by clicking on Bind to Authentication Server and then Create

NOTE: Bind and Unbind the nFactor Flow through the option given in nFactor Flow under Show Bindings only.

To unbind the nFactor Flow:

1. Select the nFactor Flow and Click on Show Bindings
2. Select the Authentication VServer and Click Unbind