Howtoconfigurepre-authEPAscanasafactorinnFactor
authentication
Objective
ThisarticledescribeshowtoconfigureNetScalerGatewayfornFactorauthenticationwith
pre-authEPAscanasoneoftheauthenticationfactors.
Introduction
Multi-factorauthenticationenhancesthesecurityofanapplicationbyrequiringusersto
providemultipleproofsofidentifytogainaccess.TheNetScalerapplianceprovidesan
extensibleandflexibleapproachtoconfiguringmulti-factorauthentication.Thisapproachis
callednFactorauthentication
OnNetScalerGateway,EndPointAnalysis(EPA)canbeconfiguredtocheckifauserdevice
meetscertainsecurityrequirementsandaccordinglyallowaccessofinternalresourcesto
theuser.TheEndpointAnalysisPlug-indownloadsandinstallsontheuserdevicewhen
userslogontoNetScalerGatewayforthefirsttime.IfauserdoesnotinstalltheEndpoint
AnalysisPlug-inontheuserdeviceorchoosestoskipthescan,theusercannotlogonwith
theNetScalerGatewayPlug-in.Optionally,usercanbeputinaquarantinegroupwhere
(s)hegetslimitedaccesstointernalnetworkresources.
Inthisarticle,wewilltrytouseEPAscanasaninitialcheckinanFactorormultifactor
authentication.Asanexample,wewilltrytoimplementthefollowinglogic.
UserconnectstoNetScalerGatewayVirtualIP.AnEPAscanisinitiated.IfEPAscanis
successfuluserisrenderedwithloginpagewithusernameandpasswordfieldsforRADIUS
orOTPbasedauthentication.Elseuserisrenderedwithaloginpage,butthistimewillbe
authenticatedusingLDAPorAD(ActiveDirectory)basedauthentication.Basedonthe
successorfailureofuserprovidedcredentials,userisprovidedaccess.
Toimplementthislogic,postEPA:
1. ifscanissuccessfuluserisplacedortaggedtoadefaultusergroup.
2. Ifscanwasafailure,thenuserisplacedortaggedtoaquarantinegroup.
3. Thenextmethodofauthentication(RADIUSorLDAP)ischosenbasedonusergroup
membershipasdeterminedinthefirsttwosteps.
Pre-requisites
Itisassumedthatfollowingconfigurationareinplace.
• VPNVserver/GatewayandAuthenticationVserverconfigurations
• AAAusergroups(fordefault&quarantinedusergroups)andassociatedpolicies
• LDAPandRadiusserverconfigurationsandassociatedpolicies.
Aspartofthisguide,therequiredpoliciesandpolicylabelconfigurationswillbeshownand
associateittoanauthenticationprofile.
Instructions
Belowgraphshowsmappingofpoliciesandpolicylabel.Wewillusethisapproachfor
configuring,butfromrighttoleft.
ConfigurationSteps
CLIconfigurationsstepsbelow
1. Configureldap-authpolicytocheckforquarantined_groupmembershipand
associateitwithaLDAPpolicywhichisconfiguredtoauthenticatewithaparticular
LDAPserver.
addauthenticationPolicyldap-auth-rule
"HTTP.REQ.USER.IS_MEMBER_OF(\"quarantined_group\")"-actionldap_server1
ldap_server1isLDAPpolicyandldap-authispolicyname
2. Configureradius-authpolicytocheckfordefault_groupmembershipandassociate
itwithaRadiuspolicywhichisconfiguredtoauthenticatewithaparticularRadius
server.
addauthenticationPolicyradius-auth-rule
"HTTP.REQ.USER.IS_MEMBER_OF(\"default_group\")"-actionradius_server1
radius_server1isRadiusPolicyandradius-authispolicyname
3. ConfigurePolicylabelpost-epa-usergroup-check,withLoginschematocapture
singlefactorusernameandpassword.
addauthenticationpolicylabelpost-epa-usergroup-check-loginSchema
lschema_single_factor_deviceid
Note:Replacewiththeschemayouneed,incaseyoudonotwanttouseinbuilt
schemalschema_single_factor_deviceid
4. Associatepoliciesconfiguredinstep1and2withpolicylabelconfiguredinstep3.
bindauthenticationpolicylabelpost-epa-usergroup-check-policyNameradius-auth
-priority100-gotoPriorityExpressionEND
bindauthenticationpolicylabelpost-epa-usergroup-check-policyNameldap-authpriority110-gotoPriorityExpressionEND
HereENDindicatesendofauthenticationmechanismforthatleg.
5. CreateanactiontoperformEPAscanandassociateitwithanEPAscanpolicy
addauthenticationepaActionEPA-client-scan-csecexpr
"sys.client_expr(\"app_0_MACBROWSER_1001_VERSION_<=_10.0.3\")||sys.client_expr(\"os_0_win7_sp_1\")"defaultEPAGroupdefault_group-quarantineGroupquarantined_group
Formatted: Font:Bold
Formatted: Font:Bold
Justasanexample,theaboveexpressionscansifMACOSusershavebrowser
versionlessthan10.0.3orifWindows7usershaveServicepack1installed.
default_groupandquarantined_grouparepre-configuredusergroups
addauthenticationPolicyEPA-check-ruletrue-actionEPA-client-scan
6. Bringingitalltogether,associateEPAscanpolicytoAAAvserverwithnextstep
pointingtopolicylabelpost-epa-usergroup-checktoperformnextstepin
authentication
bindauthenticationvserverMFA_AAA_vserver-policyEPA-check-priority100nextFactorpost-epa-usergroup-check-gotoPriorityExpressionNEXT
AdditionalResources
Nfactorconcepts:https://support.citrix.com/article/CTX222713
LDAPAuthentication:https://support.citrix.com/article/CTX108876