Certbased Auth ADC setting "Anonymous" in Userfield in Chrome and FireFox

[Julian Jakob]

Hi,

 

I've created nFactor Config with the following auth factors:

 

- If Usercert is available, ADC is adopting the Username extracted from the UPN in the Cert + LDAP Password

- If no Usercert is available, ADC is showing Gateway Login for Username + LDAP Password + RADIUS

 

I configured this several times from George, see https://www.jgspiers.com/nfactor-authentication-with-netscaler-gateway/

 

The only two things which changed now are the ADC Buildversion (latest 12.1) and I edited the XML and replaced ${HTTP.REQ.USER.NAME} with ${AAA.USER.NAME}

 

Attached my XML Sheet for the CertExtract Login Schema.

 

Using Internet Explorer from a non-corp device (no Usercert) nFactor is working fine and I have to login with the second factor RADIUS.

 

Using Google Chrome or FireFox from a non-corp device (no Usercert) nFactor is not working correctly, Username is filled with "Anonymous" and fixed out. So the Fallback to my second factor (Radius) seems not to work. Attached a Screenshot. It's not possible to get the second factor or logon.

 

Logs in correct order:

 

- default SSLVPN Message 88426 0 : "Created nFactor session for user j_jakob"

- default AAA LOGIN_FAILED 88429 0 : User j_jakob - Client_ip XXX - Failure_reason "External authentication server denied access"

- default SSLVPN Message 82930 0 : "Created nFactor session for user Anonymous"

 

Why is this even possible to create a session for "Anonymous" ? Any Ideas? I think problem is on the browser-side, but why?... What's different between IE and Chrome / FireFox?

 

Thanks and Best Regards

Julian

CertExtract_New.xml

[Julian Jakob]

Turns out that Chrome and Firefox are supporting TLS 1.3, but only for Webtraffic. For using certbased Auth there is a problem / mismatch with the three TLS 1.3 Cipher Suites from the ADC.

 

Disabled TLS 1.3 on my Content Switch / AAA and only enable TLS 1.2 -> Works.