When an application fails to properly sanitize user input, it’s possible to modify LDAP statements through techniques similar to SQL Injection.
Tag: Lightweight Directory Access Protocol
What is “LDAP no such user xxx” and “RADIUS IP attribute missing, packet dropped”
I need a solution
Hi
I just wonder what is the meaning of these logs because it is generated almost everyday and too many. I cannot find any KB or article about these logs. Is there a way to stop these logs?
Note: This is ProxyASG S400-30 Version 6.7.3.14
2019-07-26 15:29:13+07:00ICT "LDAP: no such user xxx" 5 250023:1 realm_ldap.cpp:3688
2019-07-26 15:29:08+07:00ICT "Session Monitor: RADIUS IP attribute missing, packet dropped." 0 32000A:96 radius_session_notification_monitor.cpp:582
Any help would be appreciated.
0
Related:
nFactor – Customizing UI to Display Images
This solution contains two parts – loginSchema extension and custom script to process the extension.
LoginSchema extension
In order to get control over the rendering of the form, a custom ‘id’/’credential’ is injected into loginSchema. This can be done by reusing existing schema and adding one. In this example, we would take a loginSchema that has only one text field (such as /nsconfig/loginschema/LoginSchema/OnlyPassword.xml) and customize it. below is the snippet that could be added. Complete loginSchema is described later in this article.
<Requirement><Credential><ID>swivel_cred</ID><Type>swivel_cred</Type><Input><Text><Hidden>true</Hidden><InitialValue>${http.req.user.name}</InitialValue></Text></Input></Credential></Requirement>
In the above line, we have specified “swivel_cred” as “Type” of the credential. Since this is not recognized as a builtin ‘credential’, UI looks for a handler for this type, and calls it if it exists.
We have also sent an initial value for this credential that is an expression that NetScaler dynamically fills. In this case, we are filling this with user’s name. In this example, it is used to notify swivel server of the username. It might not be needed all the time or it would have to be augmented with some other data. Those details have to be added as required.
Javascript to handle custom credential
When UI finds a custom credential, it looks for handler. All custom handlers are written in /var/netscaler/logon/LogonPoint/custom/script.js for default portal theme. For custom portal themes, script.js could be found in /var/netscaler/logon/themes/<custom_theme>/.
We add below script to render markup for our custom credential:
CTXS.ExtensionAPI.addCustomCredentialHandler({ // The name of the credential, must match the type returned by the server getCredentialTypeName: function () { return "swivel_cred"; }, // Generate HTML for the custom credential getCredentialTypeMarkup: function (requirements) { var div = $("<div></div>"); var image = $("<img/>"); var username = requirements.input.text.initialValue; //Get the secret from the response image.attr({ "style" : "width:200px;height:200px;", "id" : "qrcodeimg", "src" : "https://myswivelserver.citrix.com:8443/pinsafe/SCImage?username=" + username }); div.append(image); return div; }});
In the above snippet, we are handling the markup for ‘swivel_cred’. Credential name highlighted should match the ‘type’ specified earlier in the loginSchema extension.
When asked to generate markup, we are adding an image whose source points to swivel server. Once this is done, UI loads image from specified location. Since our loginSchema also has a textbox, UI renders that text box.
Administrator can modify “style” of image element to resize the image. Currently it configured for 200×200 pixels.
Configuration
nFactor configuration is better constructed bottom-up, ie the last factor first. This is because when you try to specify ‘nextFactor’ for the previous factors, you will require the subsequent factor’s name.
Swivel factor
>add loginschema swivel_image –authenticationSchema /nsconfig/loginschema/SwivelImage.xml
Download SwivelImage.xml from Full Loginschema section:
>add authentication policylabel SwivelFactor –loginSchema swivel_image
>bind authentication policylabel SwivelFactor –policy <policy-to-check-swivel-image> -priority 10
Psuedo Factor for group check
>add authentication policylabel GroupCheckFactor
>add authentication policy contractors_auth_policy –rule ‘http.req.user.is_member_of(“contractors”)’ –action NO_AUTHN
>add authentication policy not_contractors _auth_policy–rule true –action NO_AUTHN
>bind authentication policylabel GroupCheckFactor –policy contractors_auth_policy –pri 10 –nextFactor SwivelFactor
>bind authentication policylabel GroupCheckFactor –policy not_contractors_auth_policy –pri 20
First factor for Active Directory login
>add ldapAction <>
>add authentication policy user_login_auth_policy –rule true –action <>
>bind authentication vserver <> -policy user_login_auth_policy –pri 10 –nextFactor GroupCheckFactor
In above configuration, we technically specified three factors of which one is implicit/pseudo.
The above nFactor configuration can also be achieved using nFactor visualizer, this feature is available from 13.0
The above nFactor flow can be visualized as follows,
Configuration Through Visualizer:
1. Go to Security –> AAA – Application Traffic –> nFactor Visualizer –> nFactor Flows –> Click Add
2.Click on the + sign to add the nFactor Flow
3. Add Factor, this will be the name of the nFactor Flow,
4. Add the schema for the First Factor by clicking on the Add Schema and then Add,
5. Select the first factor login schema i.e for LDAP username and password only, if none exist then you can create one as below, click on create.
6. Click on Add Policy, Select the LDAP authentication policy, click on Add
If you do not have the above LDAP policy, you can create the same by clicking on the Add button corresponding to the select policy drop down list in the above snapshot.
In case the LDAP server is not added on the ADC, click on Add action, please refer to this article to add the LDAP server on the ADC (https://support.citrix.com/article/CTX108876)
7. Add a Decision Box, to check if the users belong to Internal-Group or Contractor group,
8. Click on Add Policy to add a policy to check the group membership,
Similarly, create another policy in the same decision box to check for Contractor group,
9. In case the user belongs to Contractor Group, then we need to have another factor i.e Swivel for such users, Add one more factor for Swivel, Click on Create,
10. Add the Swivel login schema and the policy for the Swivel Image,
Full Loginschema
Below is an example schema with swivel credential and a text box. Care must be taken when copying data for web browser. Quotes might be shown differently. It is recommended to copy in editors like notepad before saving them to files.
<?xml version="1.0" encoding="UTF-8"?><AuthenticateResponse xmlns="http://citrix.com/authentication/response/1"><Status>success</Status><Result>more-info</Result><StateContext></StateContext><AuthenticationRequirements><PostBack>/nf/auth/doAuthentication.do</PostBack><CancelPostBack>/nf/auth/doLogoff.do</CancelPostBack><CancelButtonText>Cancel</CancelButtonText><Requirements><Requirement><Credential><ID>swivel_cred</ID><Type>swivel_cred</Type><Input><Text><Hidden>true</Hidden><InitialValue>${http.req.user.name}</InitialValue></Text></Input></Credential></Requirement><Requirement><Credential><ID>passwd</ID><SaveID>ExplicitForms-Password</SaveID><Type>password</Type></Credential><Label><Text>Password:</Text><Type>plain</Type></Label><Input><Text><Secret>true</Secret><ReadOnly>false</ReadOnly><InitialValue></InitialValue><Constraint>.+</Constraint></Text></Input></Requirement><Requirement><Credential><Type>none</Type></Credential><Label><Text>Hello ${http.req.user.name}, Please enter passcode from above image.</Text><Type>confirmation</Type></Label><Input /></Requirement><Requirement><Credential><ID>saveCredentials</ID><Type>savecredentials</Type></Credential><Label><Text>Remember my password</Text><Type>plain</Type></Label><Input><CheckBox><InitialValue>false</InitialValue></CheckBox></Input></Requirement><Requirement><Credential><ID>loginBtn</ID><Type>none</Type></Credential><Label><Type>none</Type></Label><Input><Button>Log On</Button></Input></Requirement></Requirements></AuthenticationRequirements></AuthenticateResponse>
Example output
Once above configuration is performed, image should be displayed like below. Image height, placement can be altered in the javascript mentioned above.
Related:
nFactor – LDAP in First Factor and WebAuth in Second Factor
Note: According to RFC6176 from Internet Engineering Task Force (ITEF), TLS servers must not support SSLv2. The NetScaler appliance does not support SSLv2 from release 12.1.
This article describes the following scenario:
-
First factor is configured for LDAP Authentication
-
Second Factor is configured for Web Authentication
These steps are described in detail in the following sections. The first section briefly introduces the entities that are encountered in this article, and in general for nFactor authentication. The next section pictographically demonstrates the flow. The following sections have example “LoginSchema” that can be used to realize the logon form, and the relevant configuration.
Entities used in nFactor
LoginSchema
Login Schema is an XML construct that is aimed at providing sufficient information to the UI tier so that it can generate user interface based on the information that is sent in this XML blob. Put another way, LoginSchema is a logical representation of logon form in XML medium.
It can be added as below:
add authentication loginSchema <name> -authenticationSchema <XML-Blob> -userExpression <Expression> -passwordExpression <Expression>
where authenticationSchema is a well-structured XML that defines the way login form is rendered. UserExpression is used to extract username from login attempt. Likewise passwordExpression is used to extract password.
Authentication Policylabel
Authentication Policy label is a collection of authentication policies for a particular factor. It is recommended that these are pseudo-homogenous policies, which means, the credentials received from user apply to all the policies in the cascade. However, there are exceptions to this when a fallback option is configured or feedback mechanism is intended.
Authentication policy labels constitute secondary/user-defined factors. With nFactor, there is no single “secondary” cascade. There could be “N” secondary factors based on configuration. There could be as many policy labels as desired and the number of factors for a given authentication is defined by the longest sequence of policylabels beginning with the virtual server cascade.
When we bind an authentication policy to authentication virtual server, we specify nextFactor, which represents a policylabel/factor that would be taken if the policy succeeds. Likewise, when policies are bound to policylabels, nextFactor specifies the next policylabel to continue if the policy succeeds.
It can be added as below:
add authentication policylabel <name> -loginSchema <loginSchemaName>
Where, loginSchemaName will be the login schema that we want to associate with this authentication factor.
We can bind authentication policies to this label.
bind authentication policylabel <name> -policy WebAuth –priority 10 –nextfactor <nextFactorLabelName>
Sequence Diagram
nFactor Flow Presentation
The setup can also be created through nFactor Visualizer present in ADC version 13.0 and above.
Description
-
User accesses the web site (<NetScaler Load Balancer FQDN>WebAuthSite.html), a request is sent to the NetScaler for the website.
-
As the Load Balancer is configured with authentication, it redirects user to authentication virtual server for authentication.
-
NetScaler responds with HTTP 302 with Location /logon/logonpoint/tmindex.html.
-
Client requests for /logon/logonpoint/tmindex.html.
-
NetScaler evaluates the Login schema (means to generate different authentication forms. More about login schema in the following section) settings and responds back to the client with the Authentication form.
-
User enters the user name, password and clicks on the Log on button to authenticate.
-
NetScaler constructs LDAP request and sends the request to the LDAP server for verification. Depending on the results from the LDAP server the NetScaler logic will perform appropriate action.
-
If the LDAP authentication fails, user is sent an appropriate message that describes the reason along with original login form.
-
If the LDAP authentication succeeds, then the NetScaler will verify the Next Factor settings. For this use case second factor does not have schema (pass-through). Passthrough factor implies that NetScaler will not prompt user for credentials but continue with previously obtained credentials. In this case, those are the ones obtained from first factor. So, NetScaler will evaluate the second factor for authentication policies.
-
-
If the second factor authentication policy evaluates to true, NetScaler crafts the Web authentication request and sends the request to back end Web authentication server, and takes appropriate action depending upon the response from server.
-
If the authentication succeed then the NetScaler will examine if any more Factors are defined. As in this case we have only configured second Factor, hence NetScaler completes authentication.
-
If the authentication fails, then NetScaler will send authentication failure to the user along with original authentication page.
-
-
On successful authentication NetScaler sends HTTP 200K with Set-Cookie NSC_TMAS and NSC_TMAA to the client.
Login form that users see can be rendered by the following xml blob. Labels and other fields can be customized as highlighted. Following is the example used for this specific representation of logon form:
Note: You can download the XML file from this article’s attachment.
<?xml version="1.0" encoding="UTF-8"?><AuthenticateResponse xmlns="http://citrix.com/authentication/response/1" ><Status >success </Status><Result >more-info</Result><StateContext/><AuthenticationRequirements><PostBack> /nf/auth/doAuthentication.do</PostBack ><CancelPostBack>/Citrix/Authentication/ExplicitForms/CancelAuthenticate</CancelPostBack><CancelButtonText>Cancel</CancelButtonText><Requirements><Requirement><Credential><ID>login</ID><SaveID>ExplicitForms-Username</SaveID><Type>username</Type></Credential><Label><Text>Enter Login Name:</Text><Type>plain</Type></Label><Input><AssistiveText>Please supply either username as saamaccountname</AssistiveText><Text><Secret>false</Secret><ReadOnly>false</ReadOnly><InitialValue></InitialValue><Constraint>.+</Constraint></Text></Input></Requirement><Requirement><Credential><ID>passwd</ID><SaveID>ExplicitForms-Password</SaveID><Type>password</Type></Credential><Label><Text>Password:</Text><Type>plain</Type></Label><Input><Text><Secret>true</Secret><ReadOnly>false</ReadOnly><InitialValue></InitialValue><Constraint>.+</Constraint></Text></Input></Requirement><Requirement><Credential><Type>none</Type></Credential><Label><Text>Please submit LDAP Credntials to continue Login ...</Text><Type>confirmation</Type></Label><Input /></Requirement><Requirement><Credential><ID>saveCredentials</ID><Type>savecredentials</Type></Credential><Label><Text>Remember my password</Text><Type>plain</Type></Label><Input><CheckBox><InitialValue>false</InitialValue></CheckBox></Input></Requirement><Requirement><Credential><ID>loginBtn</ID><Type>none</Type></Credential><Label><Type>none</Type></Label><Input><Button>Log On</Button></Input></Requirement></Requirements></AuthenticationRequirements></AuthenticateResponse>
All the customizable portions of the logon form are highlighted. Administrators can modify these values to suit their needs.
Configuration Through Visualizer:
1. Go To Security > AAA-Application Traffic > nFactor Visualizer > nFactor Flow and click on Add
2. Click on the + sign to add the nFactor Flow
3. Add Factor, this will be the name of the nFactor Flow
4. Add the schema for the first Factor by clicking on the Add Schema.
5. Choose the Schema for First Factor, that is Single Auth.
6. By clicking on add policy Add Policy for LDAP for the first factor
For more information on creating LDAP Authentication see ,Configuring LDAP Authentication
7. By clicking on green + sign add the Second factor
8. Another Factor box will be created to add the schema and Web Auth Policy, this is the Second Factor.
9. Following steps 4 and 5 add LSCHEMA_INT for pass-through schema and Web Auth Policy as shown below:
For more information on WebAuth Policy see, Web Authentication Policies
10. Click on Done. This will automatically save the configuration.
11. Select the nFactor Flow just created and bind it to a AAA Virtual Server by clicking on Bind to Authentication Server and the Create
NOTE : Bind and Unbind the nFactor Flow through the option given in nFactor Flow under Show Bindings only.
To unbind the nFactor Flow:
1. Select the nFactor Flow and Click on Show Bindings
2. Select the Authentication VServer and Click Unbind
Policies for this use case
Traffic Management:
add lb vserver LB-NFactor SSL 10.217.217.240 443 -persistenceType NONE -cltTimeout 180 -AuthenticationHost ION63.xmdfa.nsi-test.com -Authentication ON -authnVsName auth-NFactor
Authentication Virtual Server:
add authentication vserver auth-NFactor SSL 10.217.217.251 443 -AuthenticationDomain xmdfa.nsi-test.com
bind authentication vserver auth-NFactor -policy LDAP-loginSchema-pol -priority 1 -gotoPriorityExpression END
bind authentication vserver auth-NFactor -policy LDAPXMDFA-AdvPolicy -priority 2 -nextFactor WebAuth-Pol-Label -gotoPriorityExpression NEXT
LDAP Policy:
add authentication ldapAction XMADDFAIP -serverIP 10.217.217.5 -serverPort 636 -ldapBase “dc=xmdfa,dc=nsi-test,dc=com” -ldapBindDn administrator@xmdfa.nsi-test.com -ldapBindDnPassword e16dca9ac052375bb87fa4dd41e62f9fc85d96e52c3ebb5a7e7227ffd1424e46 -encrypted -encryptmethod ENCMTHD_3 -ldapLoginName cn -secType SSL -ssoNameAttribute sAMAccountName -passwdChange ENABLED -defaultAuthenticationGroup ch.etit.hedani.net_SSODomainSet -Attribute1 mail
add authentication Policy LDAP-XMDFA -rule true -action XMADDFAIP
Web Auth policy:
add authentication webAuthAction webAuthXMDFA -serverIP 10.217.217.5 -serverPort 80 -fullReqExpr q{“GET / HTTP/” + http.req.version.major + “.” + http.req.version.minor.sub(1) + “rnAccept:*/*rnhost:nsi-dc1-2008.nsi-test.comrn” + “Authorization:” + “”Basic “+ (HTTP.REQ.USER.NAME.append(“:”).APPEND(http.req.user.passwd).B64ENCODE)rnrn”} -scheme http -successRule “http.res.status.eq(200)”
add authentication webAuthPolicy WebAuthXMDA-pol1 -rule ns_true -action webAuthXMDFA
add authentication Policy WebAuth2-Advance -rule true -action webAuthXMDFA
add authentication policylabel WebAuthNoschema -loginSchema No-Schema-Passthrough
bind authentication policylabel WebAuth-Pol-Label -policyName WebAuth2-Advance -priority 2 -gotoPriorityExpression NEXT
The preceding configuration describes adding a Traffic Management virtual server for resource access, adding Authentication virtual server for securing Traffic Management virtual server, and relevant policies for this use-case. The portions highlighted in Yellow are to be replaced with appropriate authentication policies by the administrators. The GOTO Priority expression by default is NEXT, so that we fall down to the next policy if it fails.
Important ns.log messages
Jul 31 18:54:56 <local0.debug> 127.0.0.2 08/01/2015:01:54:56 GMT 0-PPE-2 : default SSLVPN Message 727 0 : "core 2: ns_get_username_password: loginschema gleaned is LDAP-Auth "Jul 31 18:54:56 <local0.debug> 127.0.0.2 08/01/2015:01:54:56 GMT 0-PPE-2 : default SSLVPN Message 728 0 : "aaad_authenticate_req: copying policylabel name auth-NFactor to aaa info, type 33 for auth "Jul 31 18:54:56 <local0.debug> 127.0.0.2 08/01/2015:01:54:56 GMT 0-PPE-2 : default AAATM Message 729 0 : "copying next factor WebAuth-Pol-Label in aaa info for administrator "Jul 31 18:54:56 <local0.debug> 127.0.0.2 08/01/2015:01:54:56 GMT 0-PPE-0 : default AAATM Message 716 0 : "mp creating session on 0, pck 0, state 8"Jul 31 18:55:56 <local0.debug> 127.0.0.2 08/01/2015:01:55:56 GMT 0-PPE-2 : default SSLLOG SSL_HANDSHAKE_SUCCESS 730 0 : SPCBId 667 - ClientIP 10.252.113.101 - ClientPort 56655 - VserverServiceIP 10.217.217.251 - VserverServicePort 443 - ClientVersion TLSv1.2 - CipherSuite "AES-256-CBC-SHA SSLv2 Non-Export 256-bit" - Session NewJul 31 18:55:56 <local0.info> 127.0.0.2 08/01/2015:01:55:56 GMT 0-PPE-2 : default SSLVPN Message 731 0 : "LOGIN: CGI/LOGIN: Continuing auth for user administrator at factor WebAuth-Pol-Label with login schema WebAuth"Jul 31 18:55:56 <local0.debug> 127.0.0.2 08/01/2015:01:55:56 GMT 0-PPE-2 : default SSLVPN Message 732 0 : "aaad_authenticate_req: copying policylabel name WebAuth-Pol-Label to aaa info, type 65 for auth "Jul 31 18:55:56 <local0.debug> 127.0.0.2 08/01/2015:01:55:56 GMT 0-PPE-2 : default AAATM Message 733 0 : "Authentication delegated to Packet engine for administrator, trying to find appropriate action with bitmask 1 "Jul 31 18:55:56 <local0.debug> 127.0.0.2 08/01/2015:01:55:56 GMT 0-PPE-2 : default AAATM Message 734 0 : "Authentication delegated to Packet engine for administrator, chosen action is webAuthXMDFA "Jul 31 18:55:56 <local0.info> 127.0.0.2 08/01/2015:01:55:56 GMT 0-PPE-2 : default SSLVPN Message 735 0 : "WEBAUTH: AAAD delegated WebAuth to Packet Engine, beginning web authentication"Jul 31 18:55:56 <local0.debug> 127.0.0.2 08/01/2015:01:55:56 GMT 0-PPE-2 : default SSLVPN Message 736 0 : "WEBAUTH: Primary webauth request being tried, action: webAuthXMDFA "Jul 31 18:55:56 <local0.debug> 127.0.0.2 08/01/2015:01:55:56 GMT 0-PPE-2 : default SSLVPN Message 737 0 : "WEBAUTH: Successfully sent webauth request, GET / HTTP/1.0^M Accept:*/*^M host:nsi-dc1-2008.nsi-test.com^M Authorization:"Basic "+ (HTTP.REQ.USER.NAME.append(":").APPEND(http.req.user.passwd).B64ENCODE)^M ^M "Jul 31 18:55:56 <local0.info> 127.0.0.2 08/01/2015:01:55:56 GMT 0-PPE-2 : default SSLVPN Message 738 0 : "WEBAUTH: Response from server 0x5d9d90a: response type 401 header len 246 contentlen 1293 payload HTTP/1.1 401 Unauthorized^M Content-Type: text/html^M Server: Microsoft-IIS/8.5^M WWW-Authenticate: Basic realm="nsi-dc1-2008.nsi-test.com"^M X-Powered-By: ASP.NET^M Date: Sat, 01 Aug 2015 09:55:55 GMT^M Connection: keep-alive^M Content-Length: 1293^M ^M <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">^M <html xmlns="http://www.w3.org/1999/xhtml">^M <head>^M <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>^M <title>401 - Unauthorized: Access is denied due to invalid credentials.</title>^M <style type="text/css">^M <!--^M body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}^M fieldset{padding:0 15px 10px 15px;} ^M h1{font-size:2.4em;margin:0;color:#FFF;}^M h2{font-size:1.7em;margin:0;color:#CC0000;} ^M h3{font-siJul 31 18:55:56 <local0.debug> 127.0.0.2 08/01/2015:01:55:56 GMT 0-PPE-2 : default SSLVPN Message 739 0 : "WEBAUTH: Evaluating success rule for primary webauth action webAuthXMDFA "Jul 31 18:55:56 <local0.debug> 127.0.0.2 08/01/2015:01:55:56 GMT 0-PPE-2 : default SSLVPN Message 741 0 : "WEBAUTH: Primary webauth request being tried, action: webAuthXMDFA "
Related:
How to Configure EULA as an Authentication Factor in NetScaler nFactor
EULA Flow
End user logon flow with EULA is depicted in below picture. In this flow, existing ‘first factor’ is moved to after the EULA. EULA becomes a first/vserver profile with previous first-factor becoming a second factor.
nFactor Flow Presentation
The setup can also be created through nFactor Visualizer present in ADC version 13.0 and above.
Configuration through CLI
Step1: Copy eula.xml to /nsconfig/loginschema on your NetScaler. Actual XML file is available in Addendum
Step 2: add a loginschema for EULA
add authentication loginSchema eulaschema -authenticationSchema eula.xmladd authentication loginSchemaPolicy eula_schema -rule true -action eulaschemabind authentication vserver auth -policy eula_schema -priority 5
Step 3: add authentication factor as a secondary factor
add authentication loginSchema single_auth -authenticationSchema "LoginSchema/SingleAuth.xml"add authentication policylabel single_factor -loginSchema single_authbind authentication policylabel single_factor -policyName ldap-adv -priority 5
Step 4: add no-auth policy at the vserver cascade
add authentication Policy noauth_pol -rule "http.req.url.contains("/nf/auth/doAuthentication.do")" -action NO_AUTHNbind authentication vserver auth -policy noauth_pol -priority 1 -nextFactor single_factor -gotoPriorityExpression NEXT
Screenshots
Below is the screenshot of the EULA that is configured at vserver as a factor.
Below is the screenshot for the authentication factor (dual factor in this case).
Configuration through Visualizer:
1. Go To Security > AAA-Application Traffic > nFactor Visualizer > nFactor Flow and click on Add
2. Click on the + sign to add the nFactor Flow
3. Add Factor, this will be the name of the nFactor Flow
4. Add the schema for the First Factor by clicking on the Add Schema and then Add
5. Create a EULA_Schema by selecting the eula.xml login schema
6. Choose the Schema for First Factor, that is the EULA
7. Click on Add Policy and then add to Create Authentication Policy for NO_AUTHN.
8. By clicking on green + sign add the next Factor that is Dual Authentication (LDAP+RADIUS)
9. Again, add the schema for the Second Factor by clicking on the Add Schema and then Add
10. Create a Dual_Auth Schema by selecting the DualAuth.xml login schema and then clicking Create
11. Click on Add Policy and then add to Select Policy for LDAP Authentication
For more information on creating LDAP Authentication see, Configuring LDAP Authentication
12. Click on blue colored plus sign to add the Second Authentication
13. Click Add to select the policy for the RADIUS Authentication
For more information on creating RADIUS Authentication see, Configuring RADIUS Authentication
14. Click on Done this will automatically save the configuration.
15. Select the nFactor Flow just created and bind it to a AAA Virtual Server by clicking on Bind to Authentication Server and then Create
NOTE : Bind and Unbind the nFactor Flow through the option given in nFactor Flow under Show Bindings only.
To unbind the nFactor Flow:
1. Select the nFactor Flow and Click on Show Bindings
2. Select the Authentication VServer and Click Unbind
2. Select the Authentication VServer and Click Unbind
Addendum
Here is the loginSchema used for this example. Care should be taken when copying text from web browser as certain quotes are rendered differently. Readers are advised to copy below schema in text editor to normalize quotes.
NOTE: This login Schema is present in NetScaler version 13.0 and need not be created separately.
<?xml version="1.0" encoding="UTF-8"?><AuthenticateResponse xmlns="http://citrix.com/authentication/response/1"><Status>success</Status><Result>more-info</Result><StateContext></StateContext><AuthenticationRequirements><PostBack>/nf/auth/doAuthentication.do</PostBack><CancelPostBack>/nf/auth/doLogoff.do</CancelPostBack><CancelButtonText>Cancel</CancelButtonText><Requirements><Requirement><Credential><Type>none</Type></Credential><Label><Text>End User License Agreement</Text><Type>heading</Type></Label><Input /></Requirement><Requirement><Credential><Type>none</Type></Credential><Label><Text>Protecting Gateway's information and information systems is the responsibility of every user of Gateway.</Text><Type>plain</Type></Label><Input /></Requirement><Requirement><Credential><Type>none</Type></Credential><Label><Text>This computer, including any devices attached to this computer and the information systems accessed from this point contain information which is confidential to Organization. Your activities and use of these facilities are monitored and recorded. They are not private and may be reviewed at any time. Unauthorised or inappropriate use of Organization's Information Technology facilities, including but not limited to Electronic Mail and Internet services, is against company policy and can lead to disciplinary outcomes, including termination and/or legal actions. Use of these facilities confirms that you accept the conditions detailed in Organization's Group Information Security Policy and Organization's Code of Conduct.</Text><Type>plain</Type></Label><Input /></Requirement><Requirement><Credential><Type>none</Type></Credential><Label><Text>Use of these facilities confirms that you accept the conditions detailed in Organization's Group Information Security Policy and Organization's Code of Conduct.</Text><Type>plain</Type></Label><Input /></Requirement><Requirement><Credential><ID>loginBtn</ID><Type>none</Type></Credential><Label><Type>none</Type></Label><Input><Button>Continue</Button></Input></Requirement></Requirements></AuthenticationRequirements></AuthenticateResponse>
Related:
Add multiple Basic Authentication LDAP policies/servers to Gateway or LB VIP
The best way to add additional LDAP servers for authentication is to add another LDAP Authentication Policy which is associated with another LDAP server and then bind that new policy to your Gateway or LB VIP.
This article only works with Basic Authentication with LDAP but if you have an Authentication Profile on Gateway the process below will not work.
For Basic Authentication Policies with LDAP:
Log into the Netscaler GUI.
Click on “Citrix Gateway” (or Traffic Management -> Load Balancing) -> Virtual Server -> select your virtual server where you wish to add more LDAP servers.
Under “Basic Authentication” click on the LDAP Policy (If no policy exists you will create one here). Select the policy and click “Edit Server”. Make sure to copy the settings so that they are the same on the second LDAP server/policy you are about to create. Click Close.
For the existing Policy, write down the Priority value. You will want this to be the same for the new LDAP servers unless you specifically want a lower priority.
Select “Add Binding”. Change the Priority to match the one you just wrote down. Then click “Add” next to “Select Policy”
Create a Name for the policy. Make the Expression in the lower box: NS_TRUE
Click on “Add” next to Server selection box. Add all the server details for the second LDAP server. They should all be the same except for the IP address of the new server. Click on “Create”.
Click “Create” on the LDAP Policy page to create the policy with the new server.
Click on “Bind” to bind the policy with the set priority.
Now you should see two LDAP policies with the same priority and different policy names.
Next to Select Policy press the “Add” button and on the next screen click “Add’ to create a new LDAP policy.
PLEASE NOTE: These LDAP policies will NOT Round Robin. The first LDAP server will always be used unless it cannot authenticate, it goes down, or is otherwise unavailable. Only then will the second LDAP server be used.
Related:
ProxySG | LDAP authentication multiple domain in 1 forest
I need a solution
Dear All,
Can I ask if ProxySG (VM) can do LDAP authentication in a multiple domain in 1 forest?
For example, customers have domain A and domain B, which are in the same forest, and there is a case sometimes where there is a user at the branch A to temporarily move to working at branch B.
So still want Authentication and receiving the policy that box proxy on the branch B, like the branch A
(ProxySG Appliances of customers are located in both branches)
Please recommend solution for this case.
If you would like more information please let me know.
Thank you so much for your help.
Best Regards,
Chakuttha R.
0
Related:
“Failure – Probe time out” When Configuring Citrix ADC LDAP Monitor for Service Group
It is a best practice to reduce the returned values to a small number. For Active Directory LDAP systems the filter can be set to cn=Builtin that returns minimal results.
To make this change using ADCGUI, go to Traffic Management > Load balancing > Monitors > edit the LDAP Monitor and add CN=Builtin as filter.
To make this change using ADC CLI:
add lb monitor MonitorName -scriptName nsldap.pl -dispatcherIP 127.0.0.1 -dispatcherPort 3013 -password password -encrypted -encryptmethod ENCMTHD_3 -LRTM ENABLED -baseDN "DC=dom,DC=com" -bindDN "CN=UserName,OU=CustomOU,DC=com,DC=com" -filter CN=Builtin
Related:
How to hide secondary password field for login page of NetScaler Gateway
Create the following rewrite policy and action to hide secondary password field from NetScaler Login page.
Please follow the below steps, to match the configuration that worked to remove the secondary password field:
1. Open your NS GUI, click on Configuration and open the NetScaler Gateway section.
2. Go to your Gateway vServer and open the Policies menu.
3. Click on the + button.
4. Choose Policy “Rewrite” and Choose Type “Response” , exactly the same as the image below :
5. Go to Policy Binding and Click on Add.
6. Edit the fields of the Rewrite Policy like in the image below, with the expression “HTTP.REQ.HEADER(User-Agent).CONTAINS(AGEE).NOT” :
7. At the Action field, click on Add bottom.
8. Create the Action like in the image below, with the following expression “pwcount= + 1” :
9. Click on Create bottom, with the Remove_Password_Action selected in the Action field.
10. Bind the policy to the Gateway vServer.
11. Click on Done, save the configuration and Test.
Working with Browser :
This rewrite policy works with Web Browser, however it will not functions the same with Receiver.
Resolution:
NOTE: Remember that the “Rewrite” Basic Feature have to be enabled on the NetScaler, to use this policy.
if you use solution below then users are unable to change password if LDAP prompts for it.
If we want to disable the RSA field on first screen on Web Browser as well as on Receiver window ( Including Windows / MAC / IOS / Android ) Receiver , apply the below changes under the LDAP server profile as mentioned in the screenshot :
Uncheck the Authentication tab if its already checked, and then you will find your LDAP logon on logon page and RSA token is on another page separately.
Related:
Server side template injection owasp
It can happen when you pass unfiltered data to the SQL server (SQL injection), to the browser (XSS – we’ll talk about this later), to the LDAP server …