Julian Jakob Posted June 24, 2019 Share Posted June 24, 2019 Hi, I've created nFactor Config with the following auth factors: - If Usercert is available, ADC is adopting the Username extracted from the UPN in the Cert + LDAP Password - If no Usercert is available, ADC is showing Gateway Login for Username + LDAP Password + RADIUS I configured this several times from George, see https://www.jgspiers.com/nfactor-authentication-with-netscaler-gateway/ The only two things which changed now are the ADC Buildversion (latest 12.1) and I edited the XML and replaced ${HTTP.REQ.USER.NAME} with ${AAA.USER.NAME} Attached my XML Sheet for the CertExtract Login Schema. Using Internet Explorer from a non-corp device (no Usercert) nFactor is working fine and I have to login with the second factor RADIUS. Using Google Chrome or FireFox from a non-corp device (no Usercert) nFactor is not working correctly, Username is filled with "Anonymous" and fixed out. So the Fallback to my second factor (Radius) seems not to work. Attached a Screenshot. It's not possible to get the second factor or logon. Logs in correct order: - default SSLVPN Message 88426 0 : "Created nFactor session for user j_jakob" - default AAA LOGIN_FAILED 88429 0 : User j_jakob - Client_ip XXX - Failure_reason "External authentication server denied access" - default SSLVPN Message 82930 0 : "Created nFactor session for user Anonymous" Why is this even possible to create a session for "Anonymous" ? Any Ideas? I think problem is on the browser-side, but why?... What's different between IE and Chrome / FireFox? Thanks and Best Regards Julian CertExtract_New.xml Link to comment Share on other sites More sharing options...
Julian Jakob Posted July 5, 2019 Author Share Posted July 5, 2019 Turns out that Chrome and Firefox are supporting TLS 1.3, but only for Webtraffic. For using certbased Auth there is a problem / mismatch with the three TLS 1.3 Cipher Suites from the ADC. Disabled TLS 1.3 on my Content Switch / AAA and only enable TLS 1.2 -> Works. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now