NetScaler – (Un)limited nFactor with Standard License

Reading Time: 2 minutes

Disclaimer

Citrix isn’t supporting this way of configuration for a full-feature usage of nFactor with a Standard License. The following content is for testing / lab purposing only. Don’t put this in production!

Overview

Starting from release 13.0 build 67.x, nFactor authentication is supported with Standard license only for Gateway/VPN virtual server.

There are also some important limitations you should consider about. It’s the same for CLI and GUI, you aren’t able to create new login schemas. But in this Blogpost I will show you some configuration possibilities to bypass these restrictions.

nFactor Standard license limitations

Configuration

As you aren’t able to create new Loginschema profiles or policies, you have to use what NetScaler brings on default:

Default NetScaler Loginschema Profiles

But there’s an annoying thing, right?! That’s basically not enough to play around with some nFactor capabilities 🙂 What’s the trick to extend the default authentication schemas?

Just create your own XML or make a copy of your favorite one on the default directory /nsconfig/loginschema/LoginSchema as there are lots of more available:

Default Loginschema XML Templates

Rename your customized xml to one of the existing, where a Profile is already created for, so it’s getting overwritten:

Default Authentication Schema Profiles to overwrite

You have to restart the NetScaler Appliance to make sure your xml is written to flash. Now you are able to use the mapped Loginschema Policies to create your Advanced Authentication Policy Labels.

Here’s a quick example of a nFactor flow with NetScaler Standard License. Everything is marked red because of “not licensed” but it’s working fine.

nFactor Flow with Standard License

Summary

The biggest disadvantage is the naming convention. You have to make notes on yourself which named xml and policy is responsible for which nFactor flow. For example the existing “SingleAuthDeviceID.xml” could technically be a “OnlyUsername.xml”.

This works also with a VPX 50 (Gateway only) + additionally installed good old VPX Express License. Again, for testing / lab purposing only!

Also you have to watch out when doing firmware updates, as you have to replace the xml files, again.

Leave a Reply

Your email address will not be published. Required fields are marked *