nFactor – Get Two Passwords Up Front then Pass-Through in Next Factor on NetScaler

This article describes the following scenario:

Administrator configures two factor authentication with one login schema and one pass-through schema. Client submits one user name and two passwords. The first set of user name and password is evaluated through an LDAP policy as first factor, and the second password is evaluated through a RADIUS policy as second factor.

These steps are described in detail in the preceding section. The first section briefly introduces the entities that are encountered in this article, and in general for nFactor authentication. The next section pictographically demonstrates the flow. The following sections have example “LoginSchema” that can be used to realize the logon form, and the relevant configuration.

Entities Used in nFactor


Login Schema is an XML construct that is aimed at providing sufficient information to the UI tier so that it can generate user interface based on the information that is sent in this XML blob. Put another way, LoginSchema is a logical representation of logon form in XML medium.

It can be added as shown:

add authentication loginSchema <name> -authenticationSchema <XML-Blob> -userExpression <Expression> ­-passwordExpression <Expression>

Where authenticationSchema is a well-structured XML that defines the way login form is rendered. userExpression is used to extract username from login attempt. Likewise passwordExpression is used to extract password.

Authentication policylabel

Authentication policy label is a collection of authentication policies for a particular factor. It is recommended that these are pseudo-homogenous policies, which means, the credentials received from user apply to all the policies in the cascade. However, there are exceptions to this when a fallback option is configured or feedback mechanism is intended.

Authentication policy labels constitute secondary/user-defined factors. With nFactor, there is no single “secondary” cascade. There could be “N” secondary factors based on configuration. There could be as many policy labels as desired and the number of factors for a given authentication is defined by the longest sequence of policylabels beginning with the virtual server cascade.

When you bind an authentication policy to authentication virtual server, you specify nextFactor, which represents a policylabel/factor that would be taken if the policy succeeds. Likewise, when policies are bound to policylabels, nextFactor specifies the next policylabel to continue if the policy succeeds.

It can be added as shown here:

add authentication policylabel <name> -loginSchema <loginSchemaName>

Where, loginSchemaName will be the login schema that we want to associate with this authentication factor.

We can bind authentication policies to this label:

bind authentication policylabel <name> -policy LDAP –priority 10 –nextfactor <nextFactorLabelName>

Use Case Description

  1. Client browser accesses Traffic Management (TM) virtual server, and gets redirected to a logon page for authentication.

  2. The client submits a user name and two passwords, for example- user1, pass1 and pass2.

  3. First factor is evaluated against an LDAP action for user1 and pass1. Evaluation is successful and the next factor kicks in; policy “label1” in this case.

  4. The policy label specifies that the second factor is pass-through with a RADIUS policy. A pass-through schema means that NetScaler will not go back to the client for any further input; NetScaler simply uses the information it already has. In this case it is user1 and pass2. The second factor is then evaluated implicitly.

  5. The authentication server returns cookies and a response that redirect the client’s browser back to the TM virtual server where the requested content is. On the other hand, if logon failed, the client’s browser would be presented with the original logon page so that the client can retry.

User-added image

The following is the logon schema used in this specific logon form:

Note: You can download the XML file from this article’s attachment.

<?xml version="1.0" encoding="UTF-8" standalone="yes"?><AuthenticateResponse xmlns=""><Status>success</Status><Result>more-info</Result><StateContext></StateContext><AuthenticationRequirements><PostBack>/p/u/</PostBack><CancelPostBack>/p/u/</CancelPostBack><CancelButtonText>Cancel</CancelButtonText><Requirements><Requirement><Credential><Type>none</Type></Credential><Label><Text>Please log on</Text><Type>heading</Type></Label><Input/></Requirement><Requirement><Credential><ID>login</ID><SaveID>login</SaveID><Type>username</Type></Credential><Label><Text>User name:</Text><Type>plain</Type></Label><Input><Text><ReadOnly>false</ReadOnly><InitialValue></InitialValue><Constraint>.+</Constraint></Text></Input></Requirement><Requirement><Credential><ID>passwd</ID><SaveID>passwd</SaveID><Type>password</Type></Credential><Label><Text>Password:</Text><Type>plain</Type></Label><Input><Text><Secret>true</Secret><Constraint>.+</Constraint></Text></Input></Requirement><Requirement><Credential><ID>passwd1</ID><SaveID>passwd1</SaveID><Type>password</Type></Credential><Label><Text>Passcode:</Text><Type>plain</Type></Label><Input><Text><Secret>true</Secret><Constraint>.+</Constraint></Text></Input></Requirement><Requirement><Credential><ID>savecredentials</ID><SaveID></SaveID><Type>savecredentials</Type></Credential><Label><Text>Remember my credentials</Text><Type>plain</Type></Label><Input><AssistiveText></AssistiveText><CheckBox><InitialValue>false</InitialValue></CheckBox></Input></Requirement><Requirement><Credential><ID>Logon</ID><Type>none</Type></Credential><Label><Type>none</Type></Label><Input><Button>Submit</Button></Input></Requirement></Requirements></AuthenticationRequirements></AuthenticateResponse> 

Some of the customizable portions of the logon form are highlighted here. Administrators can modify these values to suit their needs.

Sequence diagram for this use case

User-added image

Policies for this use case

  1. TM and authentication virtual server configuration:

    add lb vserver lbvs55 HTTP 80 -AuthenticationHost -Authentication ON

    add authentication vserver auth56 SSL 443 -AuthenticationDomain

  2. Second factor configuration:

    add authentication loginSchema login1 -authenticationSchema login-2passwd.xml -userCredentialIndex 1 -passwordCredentialIndex 2

    add authentication loginSchemaPolicy login1 -rule true -action login1

    add authentication loginSchema login2 -authenticationSchema noschema

    add authentication loginSchemaPolicy login2 -rule true -action login2

    add authentication policylabel label1 -loginSchema login2

  3. LDAP and RAIUS factor configuration:

    add authentication ldapAction ldapAct1 -serverIP -ldapBase “dc=aaatm, dc=com” -ldapBindDn -ldapBindDnPassword 71ca2b11ad800ce2787fb7deb54842875b8f3c360d7d46e3d49ae65c41550519 -encrypted -encryptmethod ENCMTHD_3 -ldapLoginName samAccountName -groupAttrName memberOf -subAttributeName CN

    add authentication Policy ldap -rule true -action ldapAct1

    add authentication radiusAction radius -serverIP -radKey a740d6a0aeb3288fa0a6fbe932d329acddd8f448ecb4a3038daa87b36599fd16 -encrypted -encryptmethod ENCMTHD_3 -radNASip ENABLED -radNASid NS28.50 -radAttributeType 11 -ipAttributeType 8

    add authentication Policy radius -rule true -action radius

  4. Binding policies:

    bind authentication vserver auth56 -policy login1 -priority 1 -gotoPriorityExpression END

    bind authentication vserver auth56 -policy ldap -priority 1 -nextFactor label1 -gotoPriorityExpression next

    bind authentication policylabel label1 -policyName radius -priority 2 -gotoPriorityExpression end

The above nFactor config can now be done using the nFactor Visualizer, which is a new feature that is available starting 13.0 ADC firmware, below are equivalent steps for the above config through visualizer.

Nfactor flow representation using the nFactor Visualizer:

  1. Go To Security > AAA-Application Traffic > nFactor Visualizer > nFactor Flow and click on Add
  2. Click on the + sign to add the nFactor Flow

  3. Add Factor, this will be the name of the nFactor Flow

Click on Create.

4. Click on “Add Schema”, to add the two password schema for the first factor,

Click on Create.

5. After adding the schema, click on Add Policy, to add the LDAP policy, in case the LDAP policy is created the same can be selected from the drop down list, if not then create a new LDAP policy by clicking on “Add” as highlighted below.

In the action tab select the LDAP server, in case the LDAP server is not added then please follow this KB article to add an LDAP server on the ADC (

6. Click on the + sign to add the Radius Factor

Click on Create.

7. Do not add schema for this factor as by default it will take noschema, click on “Add Policy” to add the Radius auth policy, in case the Radius auth policy is added the same can be selected from the drop down, if not then click on “Add”

In case the Radius server is not added on the ADC, follow the this document to add the Radius server on ADC (

Once the Radius policy has been added click “Done”

8. Select the nFactor flow created to bind it to the AAA server,

The following are some of the important ns.log messages seen during this case:

Jul 29 22:08:00 <local0.debug> 07/29/2015:22:08:00 GMT 0-PPE-1 : default SSLVPN Message 227 0 : "core 1: ns_get_username_password: loginschema gleaned is login1loginschema=default "Jul 29 22:08:00 <local0.debug> 07/29/2015:22:08:00 GMT 0-PPE-1 : default SSLVPN Message 228 0 : "aaad_authenticate_req: copying policylabel name auth56 to aaa info, type 33 for auth "Jul 29 22:08:00 <local0.debug> 07/29/2015:22:08:00 GMT 0-PPE-1 : default AAATM Message 229 0 : "copying next factor label1 in aaa info for user1 "Jul 29 22:08:00 <local0.debug> 07/29/2015:22:08:00 GMT 0-PPE-1 : default AAA Message 231 0 : "nFactor: Next factor label1 is configured as passthough/implicit, loginschema login2"Jul 29 22:08:00 <local0.debug> 07/29/2015:22:08:00 GMT 0-PPE-1 : default SSLVPN Message 232 0 : "aaad_authenticate_req: copying policylabel name label1 to aaa info, type 65 for auth "Jul 29 22:08:00 <> 07/29/2015:22:08:00 GMT 0-PPE-1 : default AAATM LOGIN 236 0 : Context user1@ - SessionId: 29- User user1 - Client_ip - Nat_ip "Mapped Ip" - Vserver - Browser_type "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)" - Group(s) "N/A"Jul 29 22:08:00 <local0.debug> 07/29/2015:22:08:00 GMT 0-PPE-0 : default AAATM HTTPREQUEST 374 0 : Context user1@ - SessionId: 29- User user1 : Group(s) N/A : Vserver - 07/29/2015:22:08:00 GMT GET / - -Jul 29 22:08:00 <local0.debug> 07/29/2015:22:08:00 GMT 0-PPE-0 : default AAATM Message 375 0 : "cookie idx is 12, tmaaa cookie 9, temp cookie -1"

User-added image


Leave a Reply