in NetScaler, NetScaler Gateway, Security

nFactor – How do authenticated based on group membership

During the login flow, you might want to extract which group(s) a user is a member of, and based on that information change the login flow.

In the following example, a user will presented with a username dialog box first, clicks continue, NetScaler will verify that the user exists, do group extraction, and based on the result, present the user with corresponding output

A made up example could be that you want to control how many factors you want to present the user with, based on their group membership.

“Netscaler_1fa” <- only requires 1 factor (in this case password is that factor)

“Netscaler_2fa” <- requires 2 factors, 1st factor is password, 2nd factor is radius

“NetScaler_2fa_native_otp” <- requires 2 factors, 1st factor i password, 2nd factor is build in native OTP on NS.

First, an authentication label that controls the initial user output

(Portal_enter_user_name.xml is a custom login schema file, which contains one text box that will capture username)

Then create a policy to get the user in the fold: (remember that it is in the binding of a policy that you refer to the authentication label)

Then add the policy to a AAAVS:

Now the user will be presented with a box to enter the username.

NetScaler needs LDAP servers to verify the username and extract the group. This example will first verify if the user exist, if true, go on to extract the group.

Those policies need to be bound to a new Authentication policy label.

To get the users from the initial point(enter user name), there has to be a policy that sends them there(verify ldap user exists), so another “true” policy is needed (and bound) so that the verification and group extraction process starts.


After verification, different passwordboxes needs to be displayed, which are controlled in 3 different Authentication policy labels:

The policy that needs to boud to all of them have to be true, since we are not verifying in the policylabel, but only presenting output to the user, so catching the input from the password boxes and verifying that input in the next authentication policy label.

By doing it this way, you’ll end up with fewer policylabels and more policies, and it might seem complex now, but going forward with additional 10 domains, it’s much easier to have “the display flow” set in stone in a few policylabels, and just adding policies to the policy labels, like content switch policies.


The rest of configuration is not explained, but shown so you have a working example.

An upcoming article will describe how to make use of native OTP in NetScaler with multiple domains on the same AAAvs, and control it with policies, instead of on vServers.

Happy exploring with n-Factor!

What do you think?


  1. HI, Read your article trying to figure out where are you extracting the user to see if that user exsit in that group. Is it possible to write this article using GUI


  2. Do you guys have a working OTP only schema where the user gets prompted for the passcode after authentication

  3. Hello,

    Thank you for sharing the howto.

    The command to create AUTHPOLLABEL_2fa_with_otp_link policyLabel should be this ?

    add authentication policylabel AUTHPOLLABEL_2fa_with_otp_link -loginSchema LSCHEMA_INT

    • i see that command is missing.
      No, that would create a policylabel thats internally checking something about the procces(could be a groupmembership).
      I try to name my policylabels so they give some kind of meaning, and since its “with_otp_link” in the name, i would expect this policylabel to display something to the user in the process. but i cant recall the exact flow. Good luck!