Configure pre-auth and post-auth EPA scan as a factor in nFactor authentication 编辑

September 16, 2021 Contributed by:  SC

Configure pre-auth and post-auth EPA scan as a factor in nFactor authentication

On Citrix Gateway, Endpoint Analysis (EPA) can be configured to check if a user device meets certain security requirements and accordingly allow access of internal resources to the user. The Endpoint Analysis plug-in downloads and installs on the user device when users log on to Citrix Gateway for the first time. If a user does not install the Endpoint Analysis plug-in on the user device, user cannot log on with the Citrix Gateway plug-in.

For understanding EPA in nFactor concepts, see, Concepts, and Entities Used for EPA in nFactor Authentication Through NetScaler
.

In this topic, EPA scan is used as an initial check in a nFactor or multifactor authentication, followed by login and EPA scan as the final check.

Representation of EPA scan used as initial check in nFactor or multifactor authentication

User connects to Citrix Gateway virtual IP address. An EPA scan is initiated. If EPA scan is successful, user is rendered the login page with user name and password fields for LDAP or AD (Active Directory) based authentication. Based on the success of the user credentials, user is redirected to the next EPA factor.


High level steps involved in this configuration

  1. If the scan is successful, the user is placed or tagged to a default user group.

  2. The next method of authentication (LDAP) is chosen.

  3. Based on the result of authentication, the user is presented with the next set of scan.


Pre-requisites

It is assumed that following configuration are in place.

  • VPN virtual server/gateway and authentication virtual server configurations
  • Authentication, authorization, and auditing user groups (for default & quarantined user groups) and associated policies
  • LDAP server configurations and associated policies


Configuration by using the CLI

  1. Create an action to perform an EPA scan and associate it with an EPA scan policy.

    add authentication epaAction SecondEPA_client_scan -csecexpr "sys.client_expr(\"proc_0_firefox\")"<!--NeedCopy-->

    The preceding expression scans if the Firefox process is running on the client machine.

    add authentication Policy SecondEPA_check -rule true -action SecondEPA_client_scan<!--NeedCopy-->
  2. Configure policy label post-epa-scan that hosts the policy for EPA scan.

    add authentication policylabel post-epa-scan -loginSchema LSCHEMA_INT<!--NeedCopy-->

    Note: LSCHEMA_INT is an in-built schema with no schema (noschema), meaning no additional webpage is presented to user at this step.

  3. Associate policy configured in step 1 with policy label configured in step 2.

    bind authentication policylabel post-epa-scan -policyName SecondEPA_check - priority 100 -gotoPriorityExpression END<!--NeedCopy-->

    END indicates end of authentication mechanism.

  4. Configure ldap-auth policy and associate it with an LDAP policy which is configured to authenticate with a particular LDAP server.

    add authentication Policy ldap-auth -rule true -action ldap_server1ldap_server1 is LDAP policy and ldap-auth is policy name<!--NeedCopy-->
  5. Configure policy label ldap-factor, with login schema to capture single factor user name and password.

    add authentication policylabel ldap-factor -loginSchema LoginSchema/SingleAuth.xml<!--NeedCopy-->

    Note: Replace with the schema you need, in case you do not want to use in built schema LoginSchema/SingleAuth.xml

  6. Associate the policy configured in step 4 with policy label configured in step 5.

    bind authentication policylabel ldap-factor -policyName ldap-auth -priority 100 -gotoPriorityExpression END -nextFactor post-epa-scan<!--NeedCopy-->

    END indicates end of authentication mechanism for that leg and nextFactor indicates the next factor following authentication.

  7. Create an action to perform EPA scan and associate it with an EPA scan policy.

    add authentication epaAction FirstEPA_client_scan –csecexpr “sys.client_expr(\"os_0_win7_sp_1\")" -defaultEPAGroup default_group<!--NeedCopy-->

    Here default_group is a pre-configured user group.

    The above expression scans if Windows 7 users have Service pack 1 installed.

    add authentication Policy FirstEPA-check -rule true -action FirstEPA_client_scan<!--NeedCopy-->
  8. Associate an EPA scan policy to authentication, authorization, and auditing virtual server with next step pointing to policy label ldap-factor to perform next step in authentication.

    bind authentication vserver MFA_AAA_vserver -policy FirstEPA-check -priority 100 -nextFactor ldap-factor -gotoPriorityExpression NEXT<!--NeedCopy-->


Configuration by using the GUI

  1. Navigate to Security > AAA-Application Traffic > Policies > Authentication > Advanced Policies > Actions > EPA.

    First EPA Scan to check for Automatic Windows Update and a default group

    Create first EPA scan

    Second EPA Scan to check for the Firefox Browser

    Create second EPA scan

  2. Create an EPA Policy. Navigate to Security > AAA-Application Traffic > Policies > Authentication > Advanced Policies > Policy and bind the action created in step 1.

    Policy for first EPA scan

    Create policy for first EPA scan

    Policy for second EPA Scan

    Create policy for second EPA scan

    For more information on Advanced EPA see, Advanced Endpoint Analysis Scans

  3. Create an nFactor flow. Navigate to Security > AAA-Application Traffic > nFactor Visualizer > nFactor Flow and click Add.

    Click to add nFactor

    Note: nFactor Visualizer is available on firmware 13.0 and later.

  4. Add a factor. The name that you enter is the name of the nFactor flow.

    Add factor name

    No schema is required for the EPA scan.

  5. Click Add Policy to add a policy for first factor.

    Click to add a policy

  6. Select the First EPA policy created in step 2.

    Click to select first EPA policy

  7. Click the green + sign and add the next factor, that is LDAP authentication.

    Click to add next factor

  8. Click Add Schema and then click Add to add a schema for the second factor.

    Click to add a schema

  9. Create a schema, in this example Single_Auth and choose this schema.

    Create a single authentication schema

    Select a single authentication schema

  10. Click Add Policy to add an LDAP policy for authentication.

    Add an LDAP policy for authentication

    For more information on creating LDAP authentication see, Configuring LDAP Authentication

  11. Create Next factor for post authentication EPA scan.

    Create next factor for postauth EPA scan

  12. Click Add Policy, select SecondEPA_Check policy created in step 2, and click Add.

    Click to add a policy

  13. Click Done.

  14. Click Bind to Authentication Server, select the nFactor flow, and then click Create.

    Bind the flow to an authentication virtual server

Unbind the nFactor flow

  1. Select the nFactor flow and click Show Bindings.

  2. Select the authentication virtual server and click Unbind.

    Unbind the flow from authentication virtual server

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。
列表为空,暂无数据

词条统计

浏览:93 次

字数:12155

最后编辑:6 年前

编辑次数:0 次

    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文