How to Configure EULA as an Authentication Factor in NetScaler nFactor

EULA Flow

End user logon flow with EULA is depicted in below picture. In this flow, existing ‘first factor’ is moved to after the EULA. EULA becomes a first/vserver profile with previous first-factor becoming a second factor.

User-added image


nFactor Flow Presentation

The setup can also be created through nFactor Visualizer present in ADC version 13.0 and above.

Configuration through CLI

Step1: Copy eula.xml to /nsconfig/loginschema on your NetScaler. Actual XML file is available in Addendum

Step 2: add a loginschema for EULA

add authentication loginSchema eulaschema -authenticationSchema eula.xmladd authentication loginSchemaPolicy eula_schema -rule true -action eulaschemabind authentication vserver auth -policy eula_schema -priority 5

Step 3: add authentication factor as a secondary factor

add authentication loginSchema single_auth -authenticationSchema "LoginSchema/SingleAuth.xml"add authentication policylabel single_factor -loginSchema single_authbind authentication policylabel single_factor -policyName ldap-adv -priority 5

Step 4: add no-auth policy at the vserver cascade

add authentication Policy noauth_pol -rule "http.req.url.contains("/nf/auth/doAuthentication.do")" -action NO_AUTHNbind authentication vserver auth -policy noauth_pol -priority 1 -nextFactor single_factor -gotoPriorityExpression NEXT

Screenshots

Below is the screenshot of the EULA that is configured at vserver as a factor.

User-added image

Below is the screenshot for the authentication factor (dual factor in this case).

Configuration through Visualizer:

1. Go To Security > AAA-Application Traffic > nFactor Visualizer > nFactor Flow and click on Add

2. Click on the + sign to add the nFactor Flow

3. ​​​​ Add Factor, this will be the name of the nFactor Flow

4. Add the schema for the First Factor by clicking on the Add Schema and then Add

5. Create a EULA_Schema by selecting the eula.xml login schema

6. Choose the Schema for First Factor, that is the EULA

7. Click on Add Policy and then add to Create Authentication Policy for NO_AUTHN.

8. By clicking on green + sign add the next Factor that is Dual Authentication (LDAP+RADIUS)

9. Again, add the schema for the Second Factor by clicking on the Add Schema and then Add

10. Create a Dual_Auth Schema by selecting the DualAuth.xml login schema and then clicking Create

11. Click on Add Policy and then add to Select Policy for LDAP Authentication

For more information on creating LDAP Authentication see, Configuring LDAP Authentication

12. Click on blue colored plus sign to add the Second Authentication

13. Click Add to select the policy for the RADIUS Authentication


For more information on creating RADIUS Authentication see, Configuring RADIUS Authentication

14. Click on Done this will automatically save the configuration.

15. Select the nFactor Flow just created and bind it to a AAA Virtual Server by clicking on Bind to Authentication Server and then Create

NOTE : Bind and Unbind the nFactor Flow through the option given in nFactor Flow under Show Bindings only.

To unbind the nFactor Flow:
1. Select the nFactor Flow and Click on Show Bindings

2. Select the Authentication VServer and Click Unbind

Addendum

Here is the loginSchema used for this example. Care should be taken when copying text from web browser as certain quotes are rendered differently. Readers are advised to copy below schema in text editor to normalize quotes.

NOTE: This login Schema is present in NetScaler version 13.0 and need not be created separately.

<?xml version="1.0" encoding="UTF-8"?><AuthenticateResponse xmlns="http://citrix.com/authentication/response/1"><Status>success</Status><Result>more-info</Result><StateContext></StateContext><AuthenticationRequirements><PostBack>/nf/auth/doAuthentication.do</PostBack><CancelPostBack>/nf/auth/doLogoff.do</CancelPostBack><CancelButtonText>Cancel</CancelButtonText><Requirements><Requirement><Credential><Type>none</Type></Credential><Label><Text>End User License Agreement</Text><Type>heading</Type></Label><Input /></Requirement><Requirement><Credential><Type>none</Type></Credential><Label><Text>Protecting Gateway's information and information systems is the responsibility of every user of Gateway.</Text><Type>plain</Type></Label><Input /></Requirement><Requirement><Credential><Type>none</Type></Credential><Label><Text>This computer, including any devices attached to this computer and the information systems accessed from this point contain information which is confidential to Organization. Your activities and use of these facilities are monitored and recorded. They are not private and may be reviewed at any time. Unauthorised or inappropriate use of Organization's Information Technology facilities, including but not limited to Electronic Mail and Internet services, is against company policy and can lead to disciplinary outcomes, including termination and/or legal actions. Use of these facilities confirms that you accept the conditions detailed in Organization's Group Information Security Policy and Organization's Code of Conduct.</Text><Type>plain</Type></Label><Input /></Requirement><Requirement><Credential><Type>none</Type></Credential><Label><Text>Use of these facilities confirms that you accept the conditions detailed in Organization's Group Information Security Policy and Organization's Code of Conduct.</Text><Type>plain</Type></Label><Input /></Requirement><Requirement><Credential><ID>loginBtn</ID><Type>none</Type></Credential><Label><Type>none</Type></Label><Input><Button>Continue</Button></Input></Requirement></Requirements></AuthenticationRequirements></AuthenticateResponse>
User-added image

Related:

Leave a Reply