Navigation

  • Change Log
  • Overview
  • LDAP Policies/Actions
  • Login Schemas
  • Authentication PolicyLabel
  • AAA vServer
  • Traffic Policy for Single Sign-on
  • NetScaler Gateway and Authentication Profile
  • Update Content Switching Expression for Unified Gateway
  • Manageotp
  • CLI Commands

Change Log

  • 2019 Feb 4 – Login Schemas – added link to Morten Kallesoee n-Cistron – restrictions on native OTP management
  • 2018 Oct half dozen – Overview – Workspace app 1809 and newer with Citrix Gateway (NetScaler) 12.1 build 49 and newer support nFactor (and OTP) authentication.
    • Updated screenshots for Citrix ADC 12.1
  • 2018 June fifteen – Login Schemas – added link to Stan Demburg NetScaler Native OTP – Prevent Enrollment Of Additional Devices Externally
  • 2018 Mar 18 – in the Traffic Policy section, added info from Julien Mooren NetScaler – Native OTP is breaking SSL VPN.

Overview

NetScaler 12 Native OTP lets you enable two-factor hallmark without purchasing any other authentication product. A typical configuration uses Google Authenticator to generate Passcodes. See the following for an overview:

  • YouTube video NetScaler Unified Gateway One Fourth dimension Countersign
  • Citrix Blog Post NetScaler Unified Gateway Provides One Time Password (OTP), Natively
  • Citrix CTX228454 NetScaler One Time Password (OTP) Guide for Dual Authentication or Registration

Here are some notes:

Here are the OTP configuration objects:

  • Brand sure NTP is configured on the NetScaler. Authentic time is required.
  • An LDAP Policy/Server with authentication disabled and OTP Secret configured. This ane OTP-specific LDAP Policy/Server can exist used for ii scenarios:
    • manageotp device enrollment
    • Two-cistron authentication to NetScaler Gateway after a device has been enrolled. This LDAP Policy/Server verifies the entered passcode.
  • An LDAP Policy/Server with authentication enabled. This one policy is used for two scenarios:
    • Unmarried-cistron authentication to the manageotp authenticator/device enrollment website.
    • Two-cistron authentication to NetScaler Gateway later a device has been enrolled.
  • A single non-addressable AAA vServer with two Login Schemas for the following scenarios:
    • A single-gene Login Schema for manageotp.
    • A dual-gene Login Schema for NetScaler Gateway authentication.
  • An Authentication Profile to link the AAA vServer to the NetScaler Gateway vServer.

LDAP Policies/Actions

  1. Become toSecurity > AAA – Application Traffic > Polices > Authentication > Advanced Policies > Deportment > LDAP.
  2. On the right, clickAdd.
    1. Create a normal LDAP Server if you don't take 1 already. This one has Authentication enabled. This LDAP Policy/Server will be used for single-factor authentication to themanageotp website, and for outset factor of dual-factor authentication to NetScaler Gateway (second factor is OTP). There are no special instructions for this LDAP Server.
  3. Create another LDAP Action.
    1. This one is used by the manageotp site to set the OTP authenticator in Active Directory, and then name information technology appropriately.
    2. On the correct, uncheck the box next toAuthentication. If yous don't uncheck it, yous will see an error message after configuring the OTP Secret.
    3. Make certain the Administrator Bind DN has permissions to modify the OTP Secret Active Directory aspect for all users.
    4. If you lot cloned an existing LDAP Server, then brand certain you re-enter the Ambassador Countersign or the new one won't work. Then clickTest LDAP Reachability.
    5. Configure the Server Logon Name Attribute to match the one you configured in the normal authentication LDAP Server.
    6. In theOther Settings section, on the bottom right, notice theOTP Hush-hush field. Enter the name of the Agile Directory attribute where NetScaler volition shop the user's OTP secret. You tin can use theuserParameters attribute if that attribute isn't being used for anything else.
    7. Thomas Rolfs in the comments advises non to enable Nested Grouping Extraction in this LDAP Activity.
    8. ClickCreate when done.
  4. Create some other LDAP Action.
    1. This one will verify the OTP code entered past the user, and so name it accordingly. The only departure from the prior one is the addition of an LDAP Search Filter.
    2. On the correct, uncheck the box next toAuthentication. If yous don't uncheck it, you will see an error message after configuring the OTP Secret.
    3. Make certain the Administrator Demark DN has permissions to read the OTP Clandestine Active Directory attribute.
    4. If y'all cloned an existing LDAP Server, so make certain y'all re-enter the Administrator Countersign or the new one won't work.
    5. In the Other Settings section, configure the Server Logon Name Attribute to match the one you configured in the normal authentication LDAP Server.
    6. In theSearch Filter field, enter the textuserParameters>=#@. This syntax ensures that only users with enrolled authenticators tin can login. See George Spiers NetScaler native OTP for more info.
    7. In theOther Settings section, on the bottom right, find theOTP Secret field. Enter the proper name of the Agile Directory attribute containing the user'south OTP secret.
    8. ClickCreate when done.
  5. Go toSecurity > AAA – Application Traffic > Policies > Authentication > Advanced Policies > Policy.
  6. On the right, clickAdd.
    1. Yous probably don't already have an Avant-garde Hallmark Policy for your normal LDAP server.
    2. Change theAction Type toLDAP.
    3. Select your normal LDAP server, which is the one that has Hallmark enabled.
    4. Entertrue as the expression. This uses Default Syntax instead of Classic Syntax.
    5. ClickCreate.
  7. Create another Authentication Policy.
    1. This policy is for OTP management so proper name information technology appropriately.
    2. Change theAction Blazon toLDAP.
    3. Select the Gear up OTP LDAP Server that has Hallmark disabled and OTP Secret configured. This LDAP Action should non have the Search Filter configured.
    4. Enter HTTP.REQ.COOKIE.VALUE("NSC_TASS").EQ("manageotp") in the Expression box, and click Create.
  8. Create some other Authentication Policy.
    1. This policy is for OTP verification and then proper noun it accordingly.
    2. Modify theActivity Type toLDAP.
    3. Select the OTP Verification LDAP Server that has Authentication disabled and OTP Secret configured. This LDAP Action should have the Search Filter configured to forestall unenrolled users from authenticating.
    4. Enter true in the Expression box, and click Create.

Login Schemas

  1. Go toSecurity > AAA – Awarding Traffic > Login Schema.
  2. On the right, switch to theProfiles tab, and clickAdd.
    1. This is the single factor Login Schema formanageotp and so name the Schema accordingly.
    2. Click theEdit icon.
    3. On the left, click theLoginSchema folder to open up it.
    4. Scroll down, and clickSingleAuthManageOTP.xml to highlight it.
    5. On the top right, clickSelect.
    6. ClickCreate.
  3. Add anotherLogin Schema profile.
    1. This Login Schema is for 2-factor authentication to NetScaler Gateway so name it accordingly.
    2. Click the edit icon. Follow the same procedure as above, but this time select/LoginSchema/DualAuth.xml.
    3. Click More to reveal more options.
    4. Whorl downwards. In thePassword Credential Index field, enter1. This causes nFactor to save the user's password into AAA Attribute #1, which nosotros'll employ after in a Traffic Policy to Single Sign-on to StoreFront. If you don't do this, and so NetScaler Gateway will endeavor to use the Passcode to authenticate to StoreFront, which plainly won't piece of work.
    5. Cheque the box adjacent toEnable Single Sign On Credentials. Mark in the comments indicates that this checkbox is needed to Unmarried Sign On to RDP Hosts.
    6. ClickCreate.
  4. On the right, switch to thePolicies tab.
  5. Click Add to add together a Login Schema policy.
    1. In the Profile field, select the Unmarried Factor Manage OTP Login Schema Contour.
    2. Name the Login Schema Policy for OTP management.
    3. In the Rule field, enter the post-obit. This ensures that this single factor Login Schema is merely used if the user enters/manageotp, and if the user is on the internal network. You don't wantmanageotp to be accessible externally, because it's but protected by single factor authentication, and it's likewise like shooting fish in a barrel to add together multiple devices.
      http.req.cookie.value("NSC_TASS").eq("manageotp") && client.IP.SRC.IN_SUBNET(10.2.0.0/16)
      • Stan Demburg at NetScaler Native OTP – Foreclose Enrollment Of Boosted Devices Externally at iRangers has a method of preventing external access to manageotp if the user already has a device enrolled.
      • Morten Kallesoee at north-Factor – restrictions on native OTP management restricts manageotp if the user already has a device enrolled.
    4. ClickCreate.
  6. Create anotherLogin Schema Policy.
    1. In theProfile field, select the dual factor Login Schema.
    2. Proper noun the Login Schema to indicate dual gene authentication.
    3. In theRule box, entertrue.
    4. ClickCreate.

Hallmark PolicyLabel

  1. Go toSecurity > AAA – Application Traffic > Policies > Authentication > Advanced Policies > PolicyLabel.
  2. On the correct, clickAdd.
  3. This PolicyLabel is for OTP direction, and OTP verification, and then name it accordingly.
  4. In theLogin Schema field, selectLSCHEMA_INT, which means noschema.
  5. ClickProceed.
  6. In thePolicy Bounden department,Click to select.
  7. Click the radio button button adjacent to the Manage OTP LDAP Policy that has authentication disabled, and OTP Hole-and-corner configured. This one should accept a policy expression that limits it to manageotp only. ClickSelect.
  8. ClickBind.
  9. Click Add together Binding to add together another one.
  10. Click to select.
  11. Click the radio button next to the LDAP Policy that verifies OTP. Click Select.
  12. ClickBind.
  13. Make sure the manageotp policy is higher in the list than the OTP Verification policy. To adjust priorities, correct-click on the policies, and click Edit Binding. ClickDone.

AAA vServer

  1. Get toSecurity > AAA – Awarding Traffic.
    1. If the AAA characteristic is non enabled, and so right-click theAAA node, and clickEnable Characteristic.
  2. Go toSecurity > AAA – Awarding Traffic > Virtual Servers.
  3. On the right, clickAdd together.
  4. This AAA vServer is for OTP and then name it accordingly.
  5. Change theIP Address Type toNon Addressable.
  6. ClickOK.
  7. Click where it saysNo Server Certificate.
    1. In the Server Document Binding section, click Click to select.
    2. Click the radio button next to a certificate, and clickSelect. You can apply the same certificate as NetScaler Gateway.
    3. ClickBind.
  8. ClickKeep to close theCertificate section.
  9. In the Advanced Hallmark Policies section, click where information technology saysNo Authentication Policy.
    1. Click where it saysClick to select.
    2. Click the radio button next to the normal LDAP Policy that has authentication enabled. Then click the blueSelect button.
    3. In theSelect Next Factor field, click where it saysClick to select.
    4. Click the radio button next to the OTP PolicyLabel, and clickSelect.
    5. ClickBind.
  10. In the Advanced Hallmark Policies department, clickContinue.
  11. On the right, in theAdvanced Settings column, clickLogin Schemas.
  12. On the left, scroll downward, and click where it saysNo Login Schema.
    1. Click where it says Click to select.
    2. Click the radio button next to the Manage OTP Login Schema, and clickSelect.
    3. ClickBind.
  13. Click where it says1 Login Schema.
    1. ClickAdd Bounden.
    2. Click where it says Click to select.
    3. Click the radio button next to the dual factor Login Schema, and clickSelect.
    4. ClickBind.
    5. Make certain the unmarried factor Manage OTP Login Schema is higher in the list (lower priority number) than the dual factor Login Schema. ClickClose.
  14. On the right, in theAdvanced Settings column, clickPortal Themes.
  15. On the left, scroll downwards, selectRfWebUI equally the Portal Theme, and clickOK.
  16. ClickDone.

Traffic Policy for Single Sign-on

  1. On the left, go toNetScaler Gateway > Policies > Traffic.
  2. On the right, switch to theTraffic Profiles tab, and clickAdd.
  3. This Traffic Contour is for OTP and/or nFactor. Name it accordingly.
  4. Scroll downwardly.
  5. In theSSO Password Expression box, enter the following. This is where we use the Login Schema Countersign Attribute specified earlier.
    http.REQ.USER.ATTRIBUTE(1)
  6. ClickCreate.
  7. On the right, switch to theTraffic Policies tab, and clickAdd.
  8. In the Request Profile field, select the Traffic Profile you just created.
  9. Name the Traffic Policy.
  10. In theExpression box, entertrue (Default Syntax).
    • If your NetScaler Gateway Virtual Server allows total VPN, modify the expression to the following. Source = Julien Mooren at NetScaler – Native OTP is breaking SSL VPN.
      http.req.method.eq(post)||http.req.method.eq(get) && false
  11. ClickCreate.

NetScaler Gateway and Authentication Profile

  1. Go toNetScaler Gateway > Virtual Servers.
  2. Edit an existing Gateway vServer. If yous don't take one, encounter the other NetScaler Gateway topics on this site.
  3. Scroll down to thePolicies section, and click the plus icon.
  4. Change theChoose Policy drop-down toTraffic, and clickContinue.
  5. Click to select.
  6. Click the radio button next to the Traffic Policy yous created earlier, and clickSelect.
  7. ClickBind.
  8. On the right, in theAdvanced Settings column, clickHallmark Profile.
  9. On the left, scroll down to theAuthentication Profile section.
  10. Click Add to create 1.
  11. Authentication Contour links the NetScaler Gateway vServer with the OTP AAA vServer, so proper noun information technology accordingly.
  12. In the Hallmark Virtual Server section,Click to select.
  13. Click the radio button next to the OTP AAA vServer, and clickSelect.
  14. ClickCreate.
  15. Whorl down again to theAuthentication Profile department, and clickOK.
  16. The Portal Theme bound to the Gateway vServer should be RfWebUI, or a derivative.
  17. Become toOrganization > Profiles.
  18. On the right, switch to theSSL Contour tab.
  19. Edit thens_default_ssl_profile_frontend profile.
  20. Make certainHSTS is non enabled in the contour, or RfWebUI, and manageotp won't piece of work correctly. This is probably a bug. Note: the Rewrite method of enabling HSTS should work.

Update Content Switching Expression for Unified Gateway

If your NetScaler Gateway Virtual Server is behind a Unified Gateway (Content Switching Virtual Server), and then you must update the Content Switching Expression to include the manageotp paths.

  1. In the NetScaler GUI, navigate toConfiguration>Traffic Management > Content Switching > Policies.
  2. On the right, select the Unified Gateway Content Switching Policy, and then clickEdit.
  3. Append the post-obit expression under theExpression area, and then clickOK.
    || HTTP.REQ.URL.CONTAINS("/manageotp")

Manageotp

  1. Point your browser tohttps://mygateway.corp.com/manageotp or similar. Just add /manageotp to the end of your Gateway URL.
  2. Observe it'southward merely unmarried-factor hallmark. Login using normal LDAP credentials.
  3. ClickAdd Device.
  4. Enter a device name, and clickGet.
  5. Launch the Google Authenticator application on your telephone. Click the plus icon in Google Authenticator, and scan the QRCode that is shown on the screen.
  6. Christian in the comments indicated that Microsoft Authenticator as well works. Click on plus sign -> other (Google,…).
  7. ClickTest.
  8. Enter the passcode shown in your Authenticator, and clickGo.
  9. If you logoff ofmanageotp, and access your Gateway URL normally, you'll be prompted for two-factor authentication. Use the passcodes shown in your Google Authenticator application.
  10. Information technology should Single Sign-on into StoreFront.

CLI Commands

Here's a complete CLI configuration.

add ssl certKey WildcardCorpCom -cert WildcardCorpCom.pfx -key WildcardCorpCom.pfx -inform PFX -passcrypt "abc" add hallmark ldapAction LDAP-Corp -serverIP 10.2.2.11 -serverPort 636 -ldapBase "dc=corp,dc=local" -ldapBindDn ctxsvc@corp.local -ldapBindDnPassword abc -encrypted -encryptmethod ENCMTHD_3 -ldapLoginName sAMAccountName -groupAttrName memberOf -subAttributeName cn -secType SSL -passwdChange ENABLED -Attribute2 userParameters add hallmark ldapAction LDAP_OTP_set_no_auth -serverIP x.2.ii.11 -serverPort 636 -ldapBase "dc=corp,dc=local" -ldapBindDn admin@corp.local -ldapBindDnPassword abc -encrypted -encryptmethod ENCMTHD_3 -ldapLoginName sAMAccountName -groupAttrName memberOf -subAttributeName cn -secType SSL -authentication DISABLED -OTPSecret UserParameters add authentication ldapAction LDAP_OTP_verify_no_auth -serverIP 10.2.2.eleven -serverPort 636 -ldapBase "dc=corp,dc=local" -ldapBindDn admin@corp.local -ldapBindDnPassword abc -encrypted -encryptmethod ENCMTHD_3 -ldapLoginName sAMAccountName -searchFilter "userParameters>=#@" -groupAttrName memberOf -subAttributeName cn -secType SSL -authentication DISABLED -OTPSecret UserParameters add together authentication Policy Corp-Adv -rule true -action LDAP-Corp add hallmark Policy LDAP_Manage_OTP-politico -rule "HTTP.REQ.COOKIE.VALUE(\"NSC_TASS\").EQ(\"manageotp\")" -activeness LDAP_OTP_set_no_auth add authentication Policy LDAP_Confirm_OTP-pol -rule true -action LDAP_OTP_verify_no_auth  add authentication loginSchema Dual_OTP-lschema -authenticationSchema "/nsconfig/loginschema/LoginSchema/DualAuth.xml" -passwordCredentialIndex ane add together authentication loginSchema Single_Manage_OTP-lschema -authenticationSchema "/nsconfig/loginschema/LoginSchema/SingleAuthManageOTP.xml" add authentication loginSchemaPolicy Single_Manage_OTP-lschemapol -rule "http.req.cookie.value(\"NSC_TASS\").eq(\"manageotp\") && client.IP.SRC.IN_SUBNET(10.3.0.0/sixteen)" -activity Single_Manage_OTP-lschema add authentication loginSchemaPolicy Dual_OTP-lschemapol -rule true -activeness Dual_OTP-lschema  add authentication policylabel OTP_pollabel -loginSchema LSCHEMA_INT bind authentication policylabel OTP_pollabel -policyName LDAP_Manage_OTP-pol -priority 100 -gotoPriorityExpression NEXT bind hallmark policylabel OTP_pollabel -policyName LDAP_Confirm_OTP-pol -priority 110 -gotoPriorityExpression NEXT   add authentication vserver OTP-AAA SSL 0.0.0.0 bind ssl vserver OTP-AAA -certkeyName WildcardCorpCom  demark authentication vserver OTP-AAA -portaltheme RfWebUI bind authentication vserver OTP-AAA -policy Single_Manage_OTP-lschemapol -priority 100 -gotoPriorityExpression Terminate bind authentication vserver OTP-AAA -policy Dual_OTP-lschemapol -priority 110 -gotoPriorityExpression END demark authentication vserver OTP-AAA -policy Corp-Adv -priority 100 -nextFactor OTP_pollabel -gotoPriorityExpression NEXT  add vpn trafficAction OTP-trafficprofile http -passwdExpression "http.REQ.USER.Aspect(1)" add vpn trafficPolicy OTP-trafficpol true OTP-trafficprofile  add authentication authnProfile OTP-authnprofile -authnVsName OTP-AAA  add vpn vserver Gateway.corp.com SSL 10.2.5.220 443 -downStateFlush DISABLED -Listenpolicy NONE -authnProfile OTP-authnprofile set ssl vserver Gateway.corp.com -sslProfile ns_default_ssl_profile_frontend add vpn sessionAction "Receiver For Spider web" -transparentInterception OFF -defaultAuthorizationAction Allow -SSO ON -icaProxy ON -wihome "https://storefront2.corp.com/Citrix/StoreWeb" -ntDomain corp.local -clientlessVpnMode OFF -storefronturl "https://storefront2.corp.com" add vpn sessionPolicy "Receiver For Web" "HTTP.REQ.HEADER(\"User-Amanuensis\").CONTAINS(\"CitrixReceiver\").Not" "Receiver For Web" demark vpn vserver Gateway.corp.com -portaltheme RfWebUI demark vpn vserver Gateway.corp.com -policy "Receiver For Spider web" -priority 100 -gotoPriorityExpression Adjacent -type REQUEST bind vpn vserver Gateway.corp.com -policy OTP-trafficpol -priority 100 -gotoPriorityExpression Finish -blazon REQUEST bind ssl vserver Gateway.corp.com -certkeyName WildcardCorpCom