nFactor is the next generation authentication framework that offers great flexibility in configuring authentication flows for users. nFactor allows for extensible authentication models thus offering clean separation of workflows. This framework could be used to configure all the authentication modes currently possible with Citrix NetScaler.
Readers are advised to have basic understanding of nFactor entities described at CTX222713 - Concepts, Entities and Terms used for nFactor Authentication through NetScaler and are advised to review other documents at nFactor Authentication through NetScaler.
This article describes the use case where username is modified before sending to radius servrer. For example, user might login to Gateway in the formats user@domain (UserPrincipalName/UPN) or domain\username.
Here is the expected outcome:
There are other variants of this requirement as well such as adding a fixed domain if user does not enter any or removing the domain part to send only the username to server. In addition, there could be other factors along with current one. These cases can be solved by following the model described in this document.
The solution proposed here checks for the format of the username from the client. If it is UPN, then user is taken to next factor for actual authentication. We employ NO_AUTHN to take the users to next factor in this case. If user enters domain\username, authentication is performed in the first factor itself.
Configuration is best understood by following a bottom-up manner. That is, we configure the most specific factor (or the last factor) first.
The above nFactor configuration can also be done using the nFactor Visualizer which is a few feature that is available on the ADC firmware starting 13.0, the above config for step 1 and 2 can be achieved as below,
Complete Flow:
Click on Create.
Click on Create, then click on Add.
Click on OK.
Click on Create
In case the schema is already added then select the same from the drop down list, if not then create the schema as below,
Click on Create and then click on Add
Click on Create and then click on Add.
Click on Add, then click on Done
In the above flow, “upn_no_auth” policy is a dummy/no-authentication policy used to jump to second factor to attempt login after modifying the username.
NO_AUTHN policies can be used to simulate implicit success logic. NO_AUTHN policies help to compute logical decisions such as the current case.
Please note that browsers/clients url encode the input data. Therefore special characters such as “@” are encoded in the request. Therefore, care must be taken when checking for form values in policy rules.