In normal configuration, after binding the Radius policy as secondary, the login page shows two password fields. In some scenario there will be requirement to hide password 2 or secondary password field so that we get two page authentication (one for the LDAPS and the next page with challenge response).

After making this change User will authenticate with LDAP first and then Radius, if any case LDAP fails , user will not get second prompt screen for RSA token and loads the page with error : Incorrect Username & Password.
 

---

Instructions

Create the following rewrite policy and action to hide secondary password field from NetScaler Login page.

Please follow the below steps, to match the configuration that worked to remove the secondary password field:

         1. Open your NS GUI, click on Configuration and open the NetScaler Gateway section.
         2. Go to your Gateway vServer and open the Policies menu.
         3. Click on the  +  button.
         4. Choose Policy  "Rewrite"  and Choose Type  "Response" , exactly the same as the image below :



         5. Go to Policy Binding and Click on Add.
         6. Edit the fields of the Rewrite Policy like in the image below, with one of the below expressions:

For VPN:  "HTTP.REQ.HEADER("User-Agent").CONTAINS("AGEE")"   :
For this to apply to all Clients, you can simple use the policy expression as "True"

Below screenshot is just an example. You may replace the expression with true (for advanced policy) or ns_true (for classic policy) or other browser specific expressions such as HTTP.REQ.HEADER(“User-Agent”).CONTAINS(“Mozilla”)


         7. At the Action field, click on Add bottom.
         8. Create the Action like in the image below, with the following expression  "pwcount= + 1"  :



         9. Click on Create bottom, with the Remove_Password_Action selected in the Action field.
         10. Bind the policy to the Gateway vServer.
         11. Click on Done, save the configuration and Test

CLI commands for the above configuration are as follows:

1. add rewrite action Remove_Password_Action insert_http_header Set-Cookie "\"pwcount= +1\""
2. add rewrite policy Remove_Password_Policy "HTTP.REQ.HEADER(\"User-Agent\").CONTAINS(\"AGEE\")" Remove_Password_Action
(or)
add rewrite policy Remove_Password_Policy "HTTP.REQ.HEADER(\"User-Agent\").CONTAINS("Mozilla")" Remove_Password_Action
(or)
add rewrite policy Remove_Password_Policy true Remove_Password_Action
3. bind vpn vserver gw_svr -policy Remove_Password_Policy -priority 100 -gotoPriorityExpression END -type RESPONSE
(or)
bind vpn vserver _XD_my_ngw_443 -policy Remove_Password_Policy -priority 100 -gotoPriorityExpression END -type RESPONSE


Working with Browser : 

This rewrite policy works with Web Browser, however it will not functions the same with Receiver.

Resolution: 
NOTE: Remember that the  "Rewrite"  Basic Feature have to be enabled on the NetScaler, to use this policy.
if you use solution below then users are unable to change password if LDAP prompts for it.

If we want to disable the RSA field on first screen on Web Browser as well as on Receiver window ( Including Windows / MAC / IOS / Android ) Receiver , apply the below changes under the LDAP server profile as mentioned in the screenshot : 

Uncheck the Authentication tab if its already checked, and then you will find your LDAP logon on logon page and RSA token is on another page separately. 

       

The above mentioned sample code is provided to you as is with no representations, warranties or conditions of any kind. You may use, modify and distribute it at your own risk. CITRIX DISCLAIMS ALL WARRANTIES WHATSOEVER, EXPRESS, IMPLIED, WRITTEN, ORAL OR STATUTORY, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NONINFRINGEMENT. Without limiting the generality of the foregoing, you acknowledge and agree that (a) the sample code may exhibit errors, design flaws or other problems, possibly resulting in loss of data or damage to property; (b) it may not be possible to make the sample code fully functional; and (c) Citrix may, without notice or liability to you, cease to make available the current version and/or any future versions of the sample code. In no event should the code be used to support ultra-hazardous activities, including but not limited to life support or blasting activities. NEITHER CITRIX NOR ITS AFFILIATES OR AGENTS WILL BE LIABLE, UNDER BREACH OF CONTRACT OR ANY OTHER THEORY OF LIABILITY, FOR ANY DAMAGES WHATSOEVER ARISING FROM USE OF THE SAMPLE CODE, INCLUDING WITHOUT LIMITATION DIRECT, SPECIAL, INCIDENTAL, PUNITIVE, CONSEQUENTIAL OR OTHER DAMAGES, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Although the copyright in the code belongs to Citrix, any distribution of the sample code should include only your own standard copyright attribution, and not that of Citrix. You agree to indemnify and defend Citrix against any and all claims arising from your use, modification or distribution of the sample code.