Table of Contents
Disclaimer
Citrix isn’t supporting this way of configuration for a full-feature usage of nFactor with a Standard License. The following content is for testing / lab purposing only. Don’t put this in production!
Overview
Starting from release 13.0 build 67.x, nFactor authentication is supported with Standard license only for Gateway/VPN virtual server.
There are also some important limitations you should consider about. It’s the same for CLI and GUI, you aren’t able to create new login schemas. But in this Blogpost I will show you some configuration possibilities to bypass these restrictions.
Configuration
As you aren’t able to create new Loginschema profiles or policies, you have to use what NetScaler brings on default:
But there’s an annoying thing, right?! That’s basically not enough to play around with some nFactor capabilities 🙂 What’s the trick to extend the default authentication schemas?
Just create your own XML or make a copy of your favorite one on the default directory /nsconfig/loginschema/LoginSchema as there are lots of more available:
Rename your customized xml to one of the existing, where a Profile is already created for, so it’s getting overwritten:
You have to restart the NetScaler Appliance to make sure your xml is written to flash. Now you are able to use the mapped Loginschema Policies to create your Advanced Authentication Policy Labels.
Here’s a quick example of a nFactor flow with NetScaler Standard License. Everything is marked red because of “not licensed” but it’s working fine.
Summary
The biggest disadvantage is the naming convention. You have to make notes on yourself which named xml and policy is responsible for which nFactor flow. For example the existing “SingleAuthDeviceID.xml” could technically be a “OnlyUsername.xml”.
This works also with a VPX 50 (Gateway only) + additionally installed good old VPX Express License. Again, for testing / lab purposing only!
Also you have to watch out when doing firmware updates, as you have to replace the xml files, again.