How to Configure Post-Authentication EPA Scan as a Factor in NetScaler nFactor Authentication

The following graph shows mapping of policies and policy label. We will use this approach for configuring, but from right to left.

User-added image

Complete the following steps from NetScaler CLI:

  1. Create an action to perform EPA scan and associate it with an EPA scan policy.

    add authentication epaAction EPA-client-scan -csecexpr “sys.client_expr(“app_0_MAC-BROWSER_1001_VERSION_<=_10.0.3”)||sys.client_expr(“os_0_win7_sp_1″)”

    Just as an example, the above expression scans if MAC OS users have browser version less than 10.0.3 or if Windows 7 users have Service pack 1 installed.

    add authentication Policy EPA-check -rule true -action EPA-client-scan

  2. Configure Policy label post-ldap-epa-scan, which will host the policy for EPA scan.

    add authentication policylabel post-ldap-epa-scan -loginSchema LSCHEMA_INT

    Note: LSCHEMA_INT is inbuilt schema with no schema (noschema), meaning no additional webpage is presented to user at this step.

  3. Associate policy configured in step 1 with policy label configured in step 2.

    bind authentication policylabel post-ldap-epa-scan -policyName EPA-check – priority 100 -gotoPriorityExpression END

    Here END indicates end of authentication mechanism.

  4. Configure ldap-auth policy to and associate it with a LDAP policy which is configured to authenticate with a particular LDAP server.

    add authentication Policy ldap-auth -rule true -action ldap_server1

    ldap_server1 is LDAP policy and ldap-auth is policy name

  5. Bringing it all together, associate ldap-auth policy to AAA vserver with next step pointing to policy label post-ldap-epa-scan to perform EPA scan

    bind authentication vserver MFA_AAA_vserver -policy ldap-auth -priority 100 – nextFactor post-ldap-epa-scan -gotoPriorityExpression NEXT

Note: Pre-authentication EPA scan is always performed as the first step in nfactor authentication and post- authentication EPA scan is always performed as the last step in nfactor authentication. EPA scans cannot be performed in between a nfactor authentication.

The above configuration can also be performed using nFactor Visualizer, which is a feature available on firmware 13.0 onward, below is the same config using the nFactor Visualizer,

Nfactor flow representation using the nFactor Visualizer:

Configuration through Visualizer:

1. Go To Security > AAA-Application Traffic > nFactor Visualizer > nFactor Flow and click on Add

2. Click on the + sign to add the nFactor Flow

3. Add Factor, this will be the name of the nFactor Flow

4. Add the schema for the First Factor by clicking on the Add Schema and then Add

5. After adding the schema, click on Add Policy, to add the LDAP policy, in case the LDAP policy is created the same can be selected from the drop down list, if not then create a new LDAP policy by clicking on “Add” as highlighted below.

In the action tab select the LDAP server, in case the LDAP server is not added then please follow this KB article to add an LDAP server on the ADC (

6. Click on the + sign to add the EPA factor,

7. Leave the Add Schema section blank, to have the default no schema applied for this factor, click on Add policy to add the post auth EPA policy and action,

EPA Action:

EPA Policy:

Click Create once done.

8. Once the nFactor flow is complete, bind this flow to the AAA Vserver.


User-added image


Leave a Reply