Adding a second factor

Our load-balancing vServer allows authenticated traffic. But is a single factor enough? During our project work, we see a strong move to use more than just one factor to authenticate to rise security.

We want to see a second factor to mee security requirements. To keep things simple we use local authentication as a second factor.

Requirements: This lab requires the authentication lab.

Creating a local AAA user

We need to create a local user with the same user-name as the domain user, but a different password. My domain user is johannes.norz, so I will create a local AAA user on this Citrix ADC/NetScaler, the password will be 1234.

Navigate to Security → AAA-Application Traffic → Users. Click Add.

creating a NetScalewr aaa user

Give this user a name, uncheck External Authentication and specify a password. That’s all.

Creating a multifactor autrhentication structure

The logon dialogue for the second factor

Every factor needs a logon dialogue. There is a designer built into Citrix ADC.

Navigate to Security → AAA-Application Traffic → Login Schema. Click Add.

Give your schema a name. Add a Profile by clicking add.

NetScaler: Designing a logon dialogue

Give this profile a name and click the little pencil. A folder containing built-in schemas will pop up. Click the folder to see the schemas.

Select the schema OnlyPassword.xml. You may change the layout, add text and change labels for all languages supported by clicking Edit.

NetScaler: Design a logon dialogue

After finishing click select and create.

Now type true to the policy rule and click create to close the create authentication login schema policy dialogue.

Congratulations, you just created your first logon dialogue!

The policy label

Factors in n-factor authentication always consist of a policy label, containing one or more logon policies and the login schema policy. Every factor is a policy label on its own.

Navigate to Security → AAA-Application Traffic → Authentication → Advanced Policies → Policy Label. Click Add.

Creating a policy label for n-factor authentication

Give this label a name, select the login dialogue profile, created in the step before and click continue.

NetScaler: Binding policies into a policy label (n-factor authentication)

Bind the local authentication policy created during the previous lab into this label. Click Done.

Invoking this policy label

Every factor has to be invoked by the previous factor. That’s true for our “new” factor as well.

Open the AAA vServer ( Security → AAA-Application Traffic → Virtual Servers).

itrix ADC / NetScaler: Binding a next factor (n-factor authentication)

Open the authentication policy binding.

NetScaler: Invoking a next factor

Click edit binding (or select the policy and select edit binding from the action drop-down box)

NetScaler: Binding or invoking

Click select next factor and select the policy label created during the step before. Click Bind.


Surf to your load-balancing vServer. You should see a logon dialogue like before, but a second dialogue after logging on successfully. The password is the password of your local user. Logon should be possible like before but this time using a second factor.

Leave a Comment

Your email address will not be published. Required fields are marked *