Mattias Karlsson Posted October 20, 2016 Share Posted October 20, 2016 Hi I have a Netscaler gateway with two factor authentication configured. 1 LDAP authentication policy bound as primary 1 RADIUS authentication policy bound as Secondary (RSA token/SMS) All works well and when browsing to the VIP you see three fields: Username Password1 (AD password) Password2 (RSA PIN or token) if entering PIN for password2 an SMS is send and a new window is presented in wich you enter the content of the SMS. Now, the customer has a wireless network and asked me if it was possible to disable two factor authentication when coming from this network. A good thing is that the vlan for the wireless network sits behind a firewall with NAT so all traffic hitting the VIP from this network has the same source IP. So I alter the expression for the RAIUS policy to "REQ.HTTP.HEADER User-Agent NOTCONTAINS CitrixReceiver && REQ.IP.SOURCEIP != (NAT iP from firewall)". I also create a rewrite policy that removes the Password2 field when coming from this source ip. When trying to log on from this wireless network and entering username and password I only get: "Contact your system administrator" "nsconmsg -d current -g pol_hits" shows me that my LDAP policy activates when I log on. Wierd thing is that "cat aaad.debug" is absolutely silent. If I remove the "REQ.IP.SOURCEIP != (NAT iP from firewall)" part from the expression and log on with two factor, "cat aaad.debug" shows me how the LDAP and RADIUS policies approves the logon. Any ideas? Thanks Link to comment Share on other sites More sharing options...
CarlStalhood Posted October 20, 2016 Share Posted October 20, 2016 NetScaler Gateway vsesrver, in the Other Settings section, has a Listen Policy expression. Create two vservers on the same VIP/port, but with different Listen Policies (CLIENT.IP.SRC). One vserver has two-factor, the other does not. 1 Link to comment Share on other sites More sharing options...
Mattias Karlsson Posted October 20, 2016 Author Share Posted October 20, 2016 Ok, cool! Thanks Link to comment Share on other sites More sharing options...
Mattias Karlsson Posted December 1, 2016 Author Share Posted December 1, 2016 Hi Carl. Are you really supposed to be able to do this? When I try to create a new vServer with the same VIP and port i get "resource already exists". Tried to first set a listen policy on my existing vserver but I'm still not allowed to create a new one on the same VIP/port. Maybe I misunderstood you. /Mattias Link to comment Share on other sites More sharing options...
CarlStalhood Posted December 1, 2016 Share Posted December 1, 2016 As long as both of them have listen policies, it should let you. I just tried it and it worked. Make sure the new one has a different name. Link to comment Share on other sites More sharing options...
Mattias Karlsson Posted December 1, 2016 Author Share Posted December 1, 2016 Does this require a certain version level you think? I'm on 10.5 60.7 I did use a different name. I use GUI, you probably don't. /Mattias Link to comment Share on other sites More sharing options...
CarlStalhood Posted December 1, 2016 Share Posted December 1, 2016 GUI worked for me. Edit the original Gateway, go to Other Settings, and configure a Listen Expression similar to CLIENT.IP.SRC.IN_SUBNET() Create a new Gateway on same VIP/port. It should work. Link to comment Share on other sites More sharing options...
Wim Guijt Posted May 8, 2018 Share Posted May 8, 2018 On 10/20/2016 at 3:40 PM, Carl Stalhood1709151912 said: NetScaler Gateway vsesrver, in the Other Settings section, has a Listen Policy expression. Create two vservers on the same VIP/port, but with different Listen Policies (CLIENT.IP.SRC). One vserver has two-factor, the other does not. Hi Carl, I would ask you if you can explain this, a little more. While how can you Create two vservers on the same VIP/port,? we have one VPN Virtual Server, For each user coming from network 221.x.x.x we will use only basic LDAP For each user coming from network 231.120.x.x we will use Radius with MFA Thanks for your help Link to comment Share on other sites More sharing options...
Ray Davis Posted May 24, 2019 Share Posted May 24, 2019 3 years, old figure I give it shot. Trying to do the same thing here as wguijt. I cant create a second NSG VIP/Port. States "Resource already Exist" Carl, Really now sure how exactly you did this? Link to comment Share on other sites More sharing options...
Ray Davis1709159190 Posted May 24, 2019 Share Posted May 24, 2019 Yea Carl, was right. I finally did it. You have to create listener policy on the existing NSG. Put something in the Lister expression box. Then it will allow you to copy the NSG/VIP/PORT. If you get resource already in use. Then you did not do this " Link to comment Share on other sites More sharing options...
Louis Dodge Posted April 7, 2021 Share Posted April 7, 2021 I was getting "Resource already Exist" until I unchecked DTLS on the new Virtual Server I was creating. Link to comment Share on other sites More sharing options...
Ray Davis1709159190 Posted August 16, 2021 Share Posted August 16, 2021 This works, when you create a copy of the Gateway, make sure you change something temporay. Example give it a fake IP address so the resource is not the same. I do this at times Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now