A customer asked me to reduce the complexity of having both single and multi factor CAG login pages and create a more seamless access experience for users with and without RSA tokens.

Because the customer wants folks who have been issued a token to receive full VPN access and be directed to a custom Web Interface (WI) site tailored for elevated permissions, I had to use two CAG vips.  One for single factor authentication (access.company.com) and the other for multi-factor authentication (rsa.access.company.com)  Those who do not have a token, or do not have it readily available, can still log in and be attached to a different WI site with restricted application access.

To get the more seamless experience, I direct everyone to the single factor login page.  Then I presented a link to give RSA users an opportunity to plug in their RSA token values.  The problem though, is that all CAG vservers share the same HTML login page, so I had to insert the link programmatically by modifying the JavaScript so that it selectively inserts an html link based on which vserver the user is logged into.

While this may be sufficient for your use, please know you can further customize the HTML, JavaScript, and Style Sheet pages to conform to your vision of a seamless user experience.

Example Screen Shots

The Original CAG Login page:


The New page with RSA Token link:


If the user follows the link, the RSA token field is presented:


Proceedure

Edit file /netscaler/ns_gui/vpn/login.js as necessary:

function ns_showpwd()
{
 <span class="code-keyword">var</span> pwc = ns_getcookie(<span class="code-quote">"pwcount"</span>);
 document.write('&lt;TR&gt;&lt;TD align=right style=<span class="code-quote">"padding-right:10px;"</span>&gt;&lt;SPAN class=CTXMSAM_LogonFont&gt;Password');
 document.write(':&lt;/SPAN&gt;&lt;/TD&gt;');
 document.write('&lt;TD colspan=2 style=<span class="code-quote">"padding-right:8px;"</span>&gt;&lt;input class=CTXMSAM_ContentFont type=<span class="code-quote">"Password"</span> title=<span class="code-quote">"Enter password"</span> name=<span class="code-quote">"passwd"</span> size=<span class="code-quote">"30"</span> maxlength=<span class="code-quote">"32"</span> style=<span class="code-quote">"width:100%;"</span>&gt;&lt;/TD&gt;&lt;/TR&gt;');
 <span class="code-keyword">if</span> ( pwc == 2 ) {
 document.write('&lt;TR&gt;&lt;TD align=right style=<span class="code-quote">"padding-right:10px;"</span>&gt;&lt;SPAN class=CTXMSAM_LogonFont&gt;RSA Token:&lt;/SPAN&gt;&lt;/TD&gt;&lt;TD colspan=2 style=<span class="code-quote">"padding-right:8px;"</span>&gt;&lt;input class=CTXMSAM_ContentFont type=<span class="code-quote">"Password"</span> title=<span class="code-quote">"Enter RSA Token"</span> name=<span class="code-quote">"passwd1"</span> size=<span class="code-quote">"30"</span> maxlength=<span class="code-quote">"32"</span> style=<span class="code-quote">"width:100%;"</span>&gt;&lt;/TD&gt;&lt;/TR&gt;');
 } <span class="code-keyword">else</span> { document.write('&lt;A href=<span class="code-quote">"https:<span class="code-comment">//rsa.access.company.com/"</span>&gt;Click HERE <span class="code-keyword">if</span> you have been issued an RSA token.&lt;/A&gt;');}
</span> UnsetCookie(<span class="code-quote">"pwcount"</span>);
}


References

CTX115756 – How to Modify the Logon Form Field Labels

Notes

Used NetScaler 9.0

Both CAG vServers used the same wildcard SSL certificate.