AAA

Adding flexibility: 1 factor from iside, 2 factors from outside!

Posted on by Johannes Norz / 0 Comment

Requirements: This lab requires a load balancing vServer with n-factor authentication like proposed in the previous labs.

The goal

Users using a certain browser should use single-factor authentication, users of all other browsers require two factors.

We know, that’s a stupid setup, but it’s easy to test. A real-world setup would be: single-factor authentication from corporate LAN and two factors from outside, depending on IP ranges. The policy expression would be CLIENT.IP.SRC.IN_SUBNET(10.0.0.0/8) and CLIENT.IP.SRC.IN_SUBNET(10.0.0.0/8).NOT.

Changes to the existing LDAP Policy

We need changes to the existing LDAP policy, so it gets active if a user uses a browser different from FireFox.

Navigate to Security → AAA-Application Traffic → Policies → Authentication → Advanced Policies → Policy.
Select the existing LDAP policy and change the policy expression to HTTP.REQ.HEADER("User-Agent").CONTAINS("Firefox").NOT. (Chrome for Google’s chrome, Trident for MS-Internet Explorer and so on).

Point of this policy is: Users of non-FireFox browsers should use this policy only.

creating a 2nd LDAP policy

We also need a policy for FireFox users.

Keep the policy selected after updating the policy expression and click Add. This will create a copy of this policy. Give it a different name and remove .NOT from the policy expression. Click OK.

NetScaler: 2 2nd factor policy

Open the lb vServer and bind this policy as well.NetScaler: binding policies for variable numbers of factors

Testing

Try logging on using FireFox (or whichever browser you selected). It should be single-factor authentication. Choose a different browser. Authentication should be two factors.




Johannes Norz

Leave a Comment

Your email address will not be published. Required fields are marked *