nFactor for gateway authentication 编辑
nFactor for gateway authentication
nFactor authentication enables a whole new set of possibilities regarding authentication. Administrators using nFactor enjoy authentication, authorization, and auditing flexibility when configuring authentication factors for virtual servers.
Two policy banks or two factors no longer restrict an administrator. The number of policy banks can be extended to suit different needs. Based on previous factors, nFactor determines a method of authentication. Dynamic login forms and on-failure actions are possible by using nFactor.
Important
- Starting from release 13.0 build 67.x, nFactor authentication is supported with Standard license only for Gateway/VPN virtual server. In Standard license, the nFactor visualizer GUI cannot be used to create the EPA in the nFactor flow. Also, you cannot edit the login schema, but must use the out-of-the-box login schema as-is.
- For Citrix ADC to support nFactor authentication, an Advanced license or a Premium license is required. For more information about nFactor authentication with Citrix ADC, see nFactor authentication.
Authentication, authorization, and auditing feature licensing requirements
The following table lists the licensing requirements for the available authentication, authorization, and auditing features.
| Standard License | Advanced License | Premium License | |
|---|---|---|---|
| LOCAL authentication | Yes | Yes | Yes |
| LDAP authentication | Yes | Yes | Yes |
| RADIUS authentication | Yes | Yes | Yes |
| TACACS authentication | Yes | Yes | Yes |
| Web authentication | Yes | Yes | Yes |
| Client cert authentication | Yes | Yes | Yes |
| Negotiate authentication | Yes | Yes | Yes |
| SAML authentication | Yes | Yes | Yes |
| OAuth authentication | No | Yes | Yes |
| Native OTP | No | Yes | Yes |
| Email OTP | No | Yes | Yes |
| Push notification for OTP | No | No | Yes |
| Knowledge based question and answer (KBA authentication) | No | Yes | Yes |
| Self service password reset (SSPR) | No | Yes | Yes |
| nFactor Visualizer | Yes | Yes | Yes |
Note
- For steps to configure nFactor for the Citrix ADC Standard License, see the section Create a Gateway virtual server for nFactor authentication in Citrix ADC Standard license.
- Only a non-addressable authentication, authorization, and auditing virtual server can be bound to a Gateway/VPN virtual server in Citrix ADC Standard license.
- Customization of LoginSchema is not allowed in the Citrix ADC Standard license. The nFactor support is basic with only default and already added login schemas that come with the appliance. The administrator can use them in their configurations, but they cannot add a login schema. Hence the GUI option is disabled.
Use cases
nFactor authentication enables dynamic authentication flows based on the user profile. Sometimes, the flows can be simple and intuitive to the user. In other cases, they can be coupled with securing active directory or other authentication servers. The following are some requirements specific to Gateway:
Dynamic user name and password selection. Traditionally, the Citrix clients (including Browsers and Receivers) use the active directory (AD) password as the first password field. The second password is reserved for the One-Time-Password (OTP). However, to secure AD servers, OTP is required to be validated first. nFactor can do this without requiring client modifications.
Multi-Tenant Authentication End-point. Some organizations use different Gateway servers for Certificate and non-certificate users. With users using their own devices to log in, user’s access levels vary on the Citrix ADC appliance based on the device being used. Gateway can cater to different authentication needs.
Authentication based on group membership. Some organizations obtain user properties from AD servers to determine authentication requirements. Authentication requirements can be varied for individual users.
Authentication co-factors. Sometimes, different pairs of authentication policies are used to authenticate different sets of users. Providing pair policies increases effective authentication. Dependent policies can be made from one flow. In this manner, independent sets of policies become flows of their own that increase efficiency and reduce complexity.
Authentication response handling
The Citrix Gateway callback registers handle authentication responses. AAAD (authentication daemon) responses and success/failure/error/dialogue codes are feed to the callback handle. The success/failure/error/dialogue codes direct Gateway to take the appropriate action.
Client support
The following table details configuration details.
| Client | nFactor Support | Authentication Policy Bind Point | EPA |
|---|---|---|---|
| Browsers | Yes | Authentication | Yes |
| Citrix Workspace app | Yes | VPN | Yes |
| Gateway Plug-in | Yes | VPN | Yes |
Note:
- Citrix Workspace app supports nFactor authentication for the supported operating systems from the following listed versions.
- Windows 4.12
- Linux 13.10
- Mac 1808
- iOS 2007
- Android 1808
- HTML5: Supported through Store Web
- Chrome: Supported through Store Web
Command line configuration
The Gateway virtual server needs an authentication virtual server named as an attribute. Virtual server name as an attribute is the only configuration required for this model.
add authnProfile <name-of-profile> -authnVsName <name-of-auth-vserver>
<!--NeedCopy-->
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论