Configure user name and two passwords with group extraction in third factor by nFactor authentication 编辑
Configure user name and two passwords with group extraction in third factor by nFactor authentication
The following section describes the use case of user name and two passwords with group extraction in a third factor by nFactor authentication.
User name and two passwords with group extraction in third factor
Assume a use case where, admins configure first authentication factor to have a user name and two password fields. The second factor is a pass through (there is no login page for this factor), which uses the user name and second password from the first factor. The third authentication factor is pass through and is configured for group extraction using user name from first factor.
Once you access the traffic management virtual server, you are redirected to the login page.
The client submits a user name and two passwords. For example, user1, pass1 and pass2.
First factor is evaluated against a local policy for user1 and pass1. Evaluation is successful and the next factor is passed, policy “label1” in this case.
The policy label specifies that the second factor is pass through with a RADIUS policy. A pass through schema means that Citrix ADC appliance does not go back to the client for any further input. Citrix ADC appliance simply uses the information it already has. In this case, it is user1 and pass2. The second factor is then evaluated implicitly. After successful evaluation, the next factor is passed (policy “label2” in this case.)
The policy label specifies that the third factor is pass through with an LDAP policy configured for group extraction. Citrix ADC appliance implicitly uses the user name from the first factor.
The authentication server returns cookies and a response that redirect the client’s browser back to the traffic management virtual server, where the requested content is. If a login fails, the client’s browser is presented with the original logon page so that the client can retry.
<?xml version="1.0" encoding="UTF-8"?> <AuthenticateResponse xmlns="http://citrix.com/authentication/response/1"› <Status>success</Status> <Result>more-info</Result> <StateContext></StateContext> <AuthenticationRequirements> <PostBack>/nf/auth/doAuthentication.do</PostBack> <CancelPostBack>/Citrix/Authentication/ExplicitForms/CancelAuthenticate</CancelPost8ack> <CancelButtonText>Cancel</CancelButtonText> <Requirements> <Requirement><Credentia1><ID>logingID><SaveID>ExplicitForms-UsernamegSaveID><Type>username</Type></Credential><Label><Text>User name</Text><Type>p lain</Type></Label><Input><AssistiveText>Please supply either domain\username or user@fully. qualified.d main</AssistiveText><Text><Secret>false</Secret><ReadOnly>false</ReadOnly><InitialValue>S{http.req.user.name}</InitialValue><Constrain t>.+</Constraint></Text></Input></Requirenent> <Requirement><Credentia1><ID>passwd</ID><SaveID>ExplicitForms-Password</SaveID><Type>password</Type></Credential><Label><Text>Password:</Text><Type> plaingType></Label><Input><Text><Secret>true</Secret><ReadOnly>falsegReadOnly><InitialVa lue></InitialValue><Constraint>.+</Constraint></Text></Input></Requirement> <Requirement><Credentia1><Type>none</Type></Credential><Label><Text>Second factor</Text><Type>confirmation</Type></Label><Input /></Requirement> <Requirement><Credentia1><ID>login8tn</ID><Type>none</Type></Credential><Label><Type>none</Type></Label><Input><Button>Log On</Button></Input></Requ irement> </Requirements> </AuthenticationRequirements> </AuthenticateResponse>
Perform the following by using the CLI
Configure traffic management and authentication virtual server.
add lb vserver lbvs1 HTTP 10.217.28.152 80 -AuthenticationHost auth1.nsi-test.com -Authentication ON
add authentication vserver avn SSL 10.217.28.154 443 -AuthenticationDomain dep.sqltest.net
Configure a first factor.
add authentication loginSchema login1 -authenticationSchema login-2passwd.xml
add authentication loginSchemaPolicy login1 -rule true -action login1
Configure a second factor.
add authentication loginSchema login2 -authenticationSchema noschema
add authentication policylabel label1 -loginSchema login2
Configure a third factor.
add authentication loginSchema login_pass -authenticationSchema noschema
add authentication policylabel label2 -loginSchema login_pass
Configure LOCAL, RADIUS, and LDAP factor.
add authentication Policy localpolicy -rule true -action LOCAL
add authentication ldapAction ldapact -serverIP 10.217.201.84 -ldapBase "cn=users,dc=dep,dc=sqltest,dc=net" -ldapBindDn Administrator@dep.sqltest.net -ldapBindDnPassword 8f7e6642195bc181f734cbc1bd18dfaf03bf9835abda7c045f7a964ceb58d4c9 -encrypted -encryptmethod ENCMTHD_3 -ldapLoginName sAMAccountName -groupAttrName memberOf -subAttributeName CN -ssoNameAttribute userprincipalname
add authentication Policy ldappolicy -rule true -action ldapact
add authentication radiusAction radius -serverIP 10.217.22.20 -radKey a740d6a0aeb3288fa0a6fbe932d329acddd8f448ecb4a3038daa87b36599fd16 -encrypted -encryptmethod ENCMTHD_3 -radNASip ENABLED -radNASid NS28.50 -radAttributeType 11 -ipAttributeType 8
add authentication Policy radiuspolicy -rule true -action radius
Bind the policies.
bind authentication vserver avn -policy login1 -priority 10 -gotoPriorityExpression END
bind authentication vserver avn -policy localpolicy -priority 2 -nextFactor label1 -gotoPriorityExpression NEXT
bind authentication policylabel label1 -policyName radiuspolicy -priority 1 -gotoPriorityExpression NEXT -nextFactor label2
bind authentication policylabel label2 -policyName ldappolicy -priority 10 -gotoPriorityExpression NEXT
Note
The setup can also be created through the nFactor Visualizer available in Citrix ADC version 13.0 and later.
Configuring by using the nFactor Visualizer
Navigate to Security > AAA-Application Traffic > nFactor Visualizer > nFactor Flows and click Add.
Click + to add the nFactor flow.
Add a factor. The name that you enter is the name of the nFactor flow. Click Create.
Click Add Schema to add the login schema for the first factor. You can create an authentication login schema or select an existing authentication login schema from the list. Click OK.
Click Add Policy to add the first factor authentication policy. You can create an authentication policy or select an existing authentication policy from the list.
Create Local policy, as per the following.
Click green + to add the second factor.
Click Add Schema to add the login schema for the second factor. You can create an authentication login schema or select an existing authentication login schema from the list. Click OK.
Click Add Policy to create a policy. Click Create and click Add.
Note
In case the RADIUS actions is not created, see To configure RADIUS authentication
Click green + to add the third factor, and click Create.
Click Add Schema to add the login schema for the second factor. You can create an authentication login schema or select an existing authentication login schema from the list. Click OK.
Click Add Policy to create a policy. Click Create and click Add.
In case the LDAP action is added, select the same. If not, follow the KB article to create one, also since you are doing only extraction, make sure to have the authentication disabled on the LDAP action. For more information, see How to Use LDAP for Group Extraction Through NetScaler Without Authentication
On the Configure Authentication Policy add LDAP policy and click OK.
Click Done. Select nFactor flow and click Bind to Authentication Server option and select the authentication, authorization, and auditing virtual server from the list.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论