Jump to content
Welcome to our new Citrix community!

netscaler gateway nfactor ldap/ radius

Martin Kramps1709161707
 Share

Recommended Posts

Martin Kramps1709161707 Apprentice

Martin Kramps1709161707

Posted
Posted

hello,

 

netscaler 13.0

 

i have 2 domains. 

domain A uses ldap and radius.

domain b uses ldap and radius

 

both use the same logonpoint on the netscaler.

users need to logon with domain\username.

 

i need to use nfactor because off the domain\username. but how can i set this up ?

i asume i need to make a decision rule if you are from domain a go to ldap server and radius server.

 

i have tryed several step by steps, but because it is for access to storefront there are also exceptions.. 

can someone point me in the right direction ?

 

let me know if i need to give more info, i will be working on the issue tomorrow.

 

 

Link to comment
Share on other sites
Rhonda Rowland1709152125 Mentor

Rhonda Rowland1709152125

Posted
Posted

There's multiple ways to do what you want, but a little more info would narrow down options to make it better for you.  Are there just two scenarios OR within each domain additional groups that need to go to different storefront urls....

Also, which references are you stitching together. There may be easier ways to solve your problem.

 

You are solving two problems:

a) How to login users from either domain using the "domain\username" format. OR switch to domain drop down or upn logon formats to distinguish domaina from domainb users.  Once we can distinguish users or groups, the next part is usually straight forward.

b) Based on domain OR group membership identify the correct storefront session policy to invoke (related and how to pass domain to storefront which is session policy OR traffic policy).

 

If you haven't solved (a) first, then looking at whether you have to stay in domain\username or switch to domain drop down list or other mechanism to just do the multi domain login is the first thing to decide. And domain drop down is easiest.

If you have solved (a) and just need to solve (b), then this is usually group membership or we use something called an authentication group (in some cases an authorization gorup) assigned during completion of the authentication policy.  

 

 

Once we know which group or groups are involved and how to distinguish them, then you just trigger different session policies (and maybe traffic poilcies) to invoke correct store and correct sson domain.

Link to comment
Share on other sites
Martin Kramps1709161707 Apprentice

Martin Kramps1709161707

Posted
  • Author
Posted

hello, i am missing a bit off basic stuff i think...

i am getting it to work with a dropdown logon schema but only for one domain..

 

i have 2 ldap policy based on samaccountname, thats question 1 can i use this ? 

1 policy goes to domain A 1 policy to domain B.

 

then i have a desicion block when i use the expression.

HTTP.REQ.BODY(500).AFTER_STR("domain=").CONTAINS("domainA")   it does not work !

 

my understanding is that if this decission is true it will go to the next step

a radius auth. 

 

 

Knipsel1.JPG

Link to comment
Share on other sites
Martin Kramps1709161707 Apprentice

Martin Kramps1709161707

Posted
  • Author
Posted
On 11/17/2021 at 1:53 AM, Rhonda Rowland1709152125 said:

There's multiple ways to do what you want, but a little more info would narrow down options to make it better for you.  Are there just two scenarios OR within each domain additional groups that need to go to different storefront urls....

Also, which references are you stitching together. There may be easier ways to solve your problem.

 

You are solving two problems:

a) How to login users from either domain using the "domain\username" format. OR switch to domain drop down or upn logon formats to distinguish domaina from domainb users.  Once we can distinguish users or groups, the next part is usually straight forward.

b) Based on domain OR group membership identify the correct storefront session policy to invoke (related and how to pass domain to storefront which is session policy OR traffic policy).

 

If you haven't solved (a) first, then looking at whether you have to stay in domain\username or switch to domain drop down list or other mechanism to just do the multi domain login is the first thing to decide. And domain drop down is easiest.

If you have solved (a) and just need to solve (b), then this is usually group membership or we use something called an authentication group (in some cases an authorization gorup) assigned during completion of the authentication policy.  

 

 

Once we know which group or groups are involved and how to distinguish them, then you just trigger different session policies (and maybe traffic poilcies) to invoke correct store and correct sson domain.

do you need more information ?

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

© Cloud Software Group, Inc. All rights reserved.

×
×
  • Create New...