What is “LDAP no such user xxx” and “RADIUS IP attribute missing, packet dropped”

I need a solution


I just wonder what is the meaning of these logs because it is generated almost everyday and too many. I cannot find any KB or article about these logs. Is there a way to stop these logs?

Note: This is ProxyASG S400-30 Version

2019-07-26 15:29:13+07:00ICT  "LDAP: no such user xxx"  5 250023:1  realm_ldap.cpp:3688
2019-07-26 15:29:08+07:00ICT  "Session Monitor: RADIUS IP attribute missing, packet dropped."  0 32000A:96  radius_session_notification_monitor.cpp:582

Any help would be appreciated.



  • No Related Posts

How to Configure EULA as an Authentication Factor in NetScaler nFactor


End user logon flow with EULA is depicted in below picture. In this flow, existing ‘first factor’ is moved to after the EULA. EULA becomes a first/vserver profile with previous first-factor becoming a second factor.

User-added image

nFactor Flow Presentation

The setup can also be created through nFactor Visualizer present in ADC version 13.0 and above.

Configuration through CLI

Step1: Copy eula.xml to /nsconfig/loginschema on your NetScaler. Actual XML file is available in Addendum

Step 2: add a loginschema for EULA

add authentication loginSchema eulaschema -authenticationSchema eula.xmladd authentication loginSchemaPolicy eula_schema -rule true -action eulaschemabind authentication vserver auth -policy eula_schema -priority 5

Step 3: add authentication factor as a secondary factor

add authentication loginSchema single_auth -authenticationSchema "LoginSchema/SingleAuth.xml"add authentication policylabel single_factor -loginSchema single_authbind authentication policylabel single_factor -policyName ldap-adv -priority 5

Step 4: add no-auth policy at the vserver cascade

add authentication Policy noauth_pol -rule "http.req.url.contains("/nf/auth/doAuthentication.do")" -action NO_AUTHNbind authentication vserver auth -policy noauth_pol -priority 1 -nextFactor single_factor -gotoPriorityExpression NEXT


Below is the screenshot of the EULA that is configured at vserver as a factor.

User-added image

Below is the screenshot for the authentication factor (dual factor in this case).

Configuration through Visualizer:

1. Go To Security > AAA-Application Traffic > nFactor Visualizer > nFactor Flow and click on Add

2. Click on the + sign to add the nFactor Flow

3. ​​​​ Add Factor, this will be the name of the nFactor Flow

4. Add the schema for the First Factor by clicking on the Add Schema and then Add

5. Create a EULA_Schema by selecting the eula.xml login schema

6. Choose the Schema for First Factor, that is the EULA

7. Click on Add Policy and then add to Create Authentication Policy for NO_AUTHN.

8. By clicking on green + sign add the next Factor that is Dual Authentication (LDAP+RADIUS)

9. Again, add the schema for the Second Factor by clicking on the Add Schema and then Add

10. Create a Dual_Auth Schema by selecting the DualAuth.xml login schema and then clicking Create

11. Click on Add Policy and then add to Select Policy for LDAP Authentication

For more information on creating LDAP Authentication see, Configuring LDAP Authentication

12. Click on blue colored plus sign to add the Second Authentication

13. Click Add to select the policy for the RADIUS Authentication

For more information on creating RADIUS Authentication see, Configuring RADIUS Authentication

14. Click on Done this will automatically save the configuration.

15. Select the nFactor Flow just created and bind it to a AAA Virtual Server by clicking on Bind to Authentication Server and then Create

NOTE : Bind and Unbind the nFactor Flow through the option given in nFactor Flow under Show Bindings only.

To unbind the nFactor Flow:
1. Select the nFactor Flow and Click on Show Bindings

2. Select the Authentication VServer and Click Unbind


Here is the loginSchema used for this example. Care should be taken when copying text from web browser as certain quotes are rendered differently. Readers are advised to copy below schema in text editor to normalize quotes.

NOTE: This login Schema is present in NetScaler version 13.0 and need not be created separately.

<?xml version="1.0" encoding="UTF-8"?><AuthenticateResponse xmlns="http://citrix.com/authentication/response/1"><Status>success</Status><Result>more-info</Result><StateContext></StateContext><AuthenticationRequirements><PostBack>/nf/auth/doAuthentication.do</PostBack><CancelPostBack>/nf/auth/doLogoff.do</CancelPostBack><CancelButtonText>Cancel</CancelButtonText><Requirements><Requirement><Credential><Type>none</Type></Credential><Label><Text>End User License Agreement</Text><Type>heading</Type></Label><Input /></Requirement><Requirement><Credential><Type>none</Type></Credential><Label><Text>Protecting Gateway's information and information systems is the responsibility of every user of Gateway.</Text><Type>plain</Type></Label><Input /></Requirement><Requirement><Credential><Type>none</Type></Credential><Label><Text>This computer, including any devices attached to this computer and the information systems accessed from this point contain information which is confidential to Organization. Your activities and use of these facilities are monitored and recorded. They are not private and may be reviewed at any time. Unauthorised or inappropriate use of Organization's Information Technology facilities, including but not limited to Electronic Mail and Internet services, is against company policy and can lead to disciplinary outcomes, including termination and/or legal actions. Use of these facilities confirms that you accept the conditions detailed in Organization's Group Information Security Policy and Organization's Code of Conduct.</Text><Type>plain</Type></Label><Input /></Requirement><Requirement><Credential><Type>none</Type></Credential><Label><Text>Use of these facilities confirms that you accept the conditions detailed in Organization's Group Information Security Policy and Organization's Code of Conduct.</Text><Type>plain</Type></Label><Input /></Requirement><Requirement><Credential><ID>loginBtn</ID><Type>none</Type></Credential><Label><Type>none</Type></Label><Input><Button>Continue</Button></Input></Requirement></Requirements></AuthenticationRequirements></AuthenticateResponse>
User-added image


Add multiple Basic Authentication LDAP policies/servers to Gateway or LB VIP

The best way to add additional LDAP servers for authentication is to add another LDAP Authentication Policy which is associated with another LDAP server and then bind that new policy to your Gateway or LB VIP.

This article only works with Basic Authentication with LDAP but if you have an Authentication Profile on Gateway the process below will not work.

For Basic Authentication Policies with LDAP:

Log into the Netscaler GUI.

Click on “Citrix Gateway” (or Traffic Management -> Load Balancing) -> Virtual Server -> select your virtual server where you wish to add more LDAP servers.

Under “Basic Authentication” click on the LDAP Policy (If no policy exists you will create one here). Select the policy and click “Edit Server”. Make sure to copy the settings so that they are the same on the second LDAP server/policy you are about to create. Click Close.

For the existing Policy, write down the Priority value. You will want this to be the same for the new LDAP servers unless you specifically want a lower priority.

Select “Add Binding”. Change the Priority to match the one you just wrote down. Then click “Add” next to “Select Policy”

Create a Name for the policy. Make the Expression in the lower box: NS_TRUE

Click on “Add” next to Server selection box. Add all the server details for the second LDAP server. They should all be the same except for the IP address of the new server. Click on “Create”.

Click “Create” on the LDAP Policy page to create the policy with the new server.

Click on “Bind” to bind the policy with the set priority.

Now you should see two LDAP policies with the same priority and different policy names.

Next to Select Policy press the “Add” button and on the next screen click “Add’ to create a new LDAP policy.

PLEASE NOTE: These LDAP policies will NOT Round Robin. The first LDAP server will always be used unless it cannot authenticate, it goes down, or is otherwise unavailable. Only then will the second LDAP server be used.


  • No Related Posts

ProxySG | LDAP authentication multiple domain in 1 forest

I need a solution

Dear All,

Can I ask if ProxySG (VM) can do LDAP authentication in a multiple domain in 1 forest?

For example, customers have domain A and domain B, which are in the same forest, and there is a case sometimes where there is a user at the branch A to temporarily move to working at branch B.

So still want Authentication and receiving the policy that box proxy on the branch B, like the branch A

(ProxySG Appliances of customers are located in both branches)
Please recommend solution for this case.
If you would like more information please let me know.
Thank you so much for your help.
Best Regards,
Chakuttha R.


  • No Related Posts

“Failure – Probe time out” When Configuring Citrix ADC LDAP Monitor for Service Group

It is a best practice to reduce the returned values to a small number. For Active Directory LDAP systems the filter can be set to cn=Builtin that returns minimal results.

To make this change using ADCGUI, go to Traffic Management > Load balancing > Monitors > edit the LDAP Monitor and add CN=Builtin as filter.

User-added image

To make this change using ADC CLI:

add lb monitor MonitorName -scriptName nsldap.pl -dispatcherIP -dispatcherPort 3013 -password password -encrypted -encryptmethod ENCMTHD_3 -LRTM ENABLED -baseDN "DC=dom,DC=com" -bindDN "CN=UserName,OU=CustomOU,DC=com,DC=com" -filter CN=Builtin


  • No Related Posts

How to hide secondary password field for login page of NetScaler Gateway

Create the following rewrite policy and action to hide secondary password field from NetScaler Login page.

Please follow the below steps, to match the configuration that worked to remove the secondary password field:

1. Open your NS GUI, click on Configuration and open the NetScaler Gateway section.

2. Go to your Gateway vServer and open the Policies menu.

3. Click on the + button.

4. Choose Policy “Rewrite” and Choose Type “Response” , exactly the same as the image below :

5. Go to Policy Binding and Click on Add.

6. Edit the fields of the Rewrite Policy like in the image below, with the expression “HTTP.REQ.HEADER(User-Agent).CONTAINS(AGEE).NOT” :

7. At the Action field, click on Add bottom.

8. Create the Action like in the image below, with the following expression “
pwcount= + 1” :

9. Click on Create bottom, with the Remove_Password_Action selected in the Action field.

10. Bind the policy to the Gateway vServer.

11. Click on Done, save the configuration and Test.

Working with Browser :

This rewrite policy works with Web Browser, however it will not functions the same with Receiver.


NOTE: Remember that the “Rewrite” Basic Feature have to be enabled on the NetScaler, to use this policy.

if you use solution below then users are unable to change password if LDAP prompts for it.

If we want to disable the RSA field on first screen on Web Browser as well as on Receiver window ( Including Windows / MAC / IOS / Android ) Receiver , apply the below changes under the LDAP server profile as mentioned in the screenshot :

Uncheck the Authentication tab if its already checked, and then you will find your LDAP logon on logon page and RSA token is on another page separately.

User-added image


  • No Related Posts