NetsCaler: Smart Card Authentication with EULA using nfactor

NetsCaler: Smart Card Authentication with EULA using nfactor

book

Article ID: CTX219625

calendar_today

Updated On:

Description

We need to do Smart Card Authentication on the NetScaler virtual server (NetScaler Gateway or Load balancing) and also we need the users to accept the End User License Agreement (EULA) before they could access the backend resource.

Instructions

In order to achieve this, please follow the below mentioned steps
  1. Create a AAA virtual server on the NetScaler. Bind the Certificate-Key Pair to the AAA virtual server.
  2. Go to SSL Parameters and then enable Client Authentication.
  3. Go to Advanced Authentication Policies and add the Authentication Policy.
User-added image
  1. Add the First Authentication Policy with the Expression set to true and the Action Type set to CERT. Add the Action and keep Two Factor OFF. Click Create and then select. 
User-added image         User-added image
  1. In the next factor, define the login schema first. Create the Authentication Policy Label and define the Login Schema. The Login Schema file in our case has been modified to our requirement where the EULA is displayed and moreover since we don't want any authentication and just want the end users to accept the EULA, we have edited the xml file to just display the I Agree Button. (Sample EULA at the end of the document for reference).
  2. Also, the custom login schema file EULA.xml in this case should be imported to /flash/nsconfig/loginschema directory first.
  3. For this factor, add the policy with Expression set to true and then set the Action Type to NO_AUTHN. This is because we want no authentication to happen at this point.
User-added image
User-added image
  1. Bind the Authentication policy. Click on Done and then click on Bind.
User-added image
 
User-added image
 
Once the AAA vserver is created with the required Authentication Policy Label, we will bind the AAA vserver to the Load Balancing or NetScaler Gateway virtual server.



Sample EULA.xml content


<?xml version="1.0" encoding="UTF-8"?>
<AuthenticateResponse xmlns="http://citrix.com/authentication/response/1">
<Status>success</Status>
<Result>more-info</Result>
<StateContext></StateContext>
<AuthenticationRequirements>
<PostBack>/nf/auth/doAuthentication.do</PostBack>
<CancelPostBack>/nf/auth/doLogoff.do</CancelPostBack>
<CancelButtonText>Cancel</CancelButtonText>
<Requirements>
<Requirement><Credential><Type>none</Type></Credential><Label><Text>End User License Agreement</Text><Type>heading</Type></Label><Input /></Requirement>
<Requirement><Credential><Type>none</Type></Credential><Label><Text>You are accessing a US Government Information System that is provided for USG -authorised use only.</Text><Type>plain</Type></Label><Input /></Requirement>
<Requirement><Credential><Type>none</Type></Credential><Label><Text>I agree to all policies and understand that by logging in , my traffic is subject to internal monitoring.</Text><Type>plain</Type></Label><Input /></Requirement>
<Requirement><Credential><ID>loginBtn</ID><Type>none</Type></Credential><Label><Type>none</Type></Label><Input><Button>I Agree</Button></Input></Requirement>
</Requirements>
</AuthenticationRequirements>
</AuthenticateResponse>
 

Powered by Wolken Software