Jump to content
Welcome to our new Citrix community!

Need help with OTP/MFA/NFACTOR


Sandy Williams

Recommended Posts

Hello, I have OTP with Google Authenticator successfully deployed in our test environment with Netscaler 12.1.  When we put this in production though we prefer to not enable MFA all at once for everyone, we want a staged approach.  I created an AD group called 'MFA' and created a first level schema where there is a username/password/domain field and if the user is not in the group (second factor, group check) it goes into Storefront and the icons appear. If the user IS in the group then I want a schema to appear that only asks for their PIN.  I stole bits from other schemas so I have a username field which pulls the username from the previous login and I took out the password field and just left the Passcode/PIN in there so it looks something like this:

 

<Credential><ID>login</ID><SaveID>login</SaveID><Type>username</Type></Credential>
<Label><Text>User name:</Text><Type>nsg-login-label</Type></Label>
<Input><Text><ReadOnly>false</ReadOnly><InitialValue>${http.req.user.name}</InitialValue><Constraint>.+</Constraint></Text></Input>
</Requirement>
<Requirement>
<Credential><ID>passwd1</ID><SaveID>passwd1</SaveID><Type>password</Type></Credential>
<Label><Text>Passcode:</Text><Type>plain</Type></Label>
<Input><Text><Secret>false</Secret><Constraint>.+</Constraint></Text></Input>
 

So I get the appropriate login screens to come up at the appropriate times.   I just can't login.  My LDAP action is configured for OTP validation therefore its not configured for authentication at this third factor.  I checked the date/time on my netscaler and it looks correct.

 

At first I used the same login schema at my third factor as what we're using in our test environment as our first factor - username/password/domain/passcode  but I had 2 problems - the password fields were reversed where if I put my pin in the password field and password in the pin field thats the only way it would pass authentication but then it wouldn't do SSO to storefront.  I kind of gave up on this and went with trying the above mentioned schema instead.  

Link to comment
Share on other sites

4 hours ago, Sandy Williams said:

So I get the appropriate login screens to come up at the appropriate times.   I just can't login.

 

Please paste the configuration how did you configure authentication.

 

4 hours ago, Sandy Williams said:

I put my pin in the password field and password in the pin field thats the only way it would pass authentication but then it wouldn't do SSO

 

Play around with below credential index.

 

image.thumb.png.47520421f9186f27600e9a57415a37ff.png

 

Thanks,

Vamsi

Link to comment
Share on other sites

Hi, thank you.. yes I did try playing around with the Password Credential Index but wasn't getting anywhere. Would a password credentialing index only help me with the part about not getting any icons in Storefront or could it be the cause of the third factor not working?  I thought it was only used in conjunction with the traffic policy for SSO (and in my case I'm not even getting past the point of authorization to see if my icons are coming up or not)

 

add authentication authnProfile ug_dd_auth_profile -authnVsName ug_aaa_dd_vs -AuthenticationHost otp.mysite.com
add authentication ldapAction mysite_dc_lb_vs_pwd -serverIP 10.10.10.164 -serverPort 636 -authTimeout 5 -ldapBase "dc=mysite,dc=ca" -ldapLoginName samAccountName -groupAttrName memberOf -subAttributeName CN -secType SSL -passwdChange ENABLED
add authentication loginSchema lschema_mysite_dd_pwdcred1 -authenticationSchema "/nsconfig/loginschema/lschema_mysite_dd2.xml" -passwordCredentialIndex 1
add authentication loginSchema MFA_NO_PWD_FIELD -authenticationSchema "/nsconfig/loginschema/MFA_no_password_field.xml" -passwordCredentialIndex 1
add authentication loginSchema MFA_NO_PWD_FIELD_NOCREDINDEX -authenticationSchema "/nsconfig/loginschema/MFA_no_password_field.xml"
add vpn trafficAction securemysitedev_OTP-TrafficProfile http -passwdExpression "http.REQ.USER.ATTRIBUTE(1)"
add authentication loginSchemaPolicy lschema_domain_drop_2domain_pol_pwdcred1 -rule true -action lschema_mysite_dd_pwdcred1
add vpn trafficPolicy securemysitedev_OTP-TrafficPolicy true securemysitedev_OTP-TrafficProfile
add authentication vserver ug_aaa_dd_vs SSL 0.0.0.0
add vpn vserver UG_VPN_securemysitedev SSL 0.0.0.0 -loginOnce ON -Listenpolicy NONE -authnProfile ug_dd_auth_profile -vserverFqdn UG_VPN_securemysitedev
add cs vserver securemysitedev_CS SSL 10.10.10.32 443 -cltTimeout 180
add cs action securemysitedev_UG_CSACT -targetVserver UG_VPN_securemysitedev
add cs policy securemysitedev_UG_CSPOL -rule "is_vpn_url || HTTP.REQ.URL.PATH.SET_TEXT_MODE(IGNORECASE).STARTSWITH(\"/Citrix/mysiteDevWeb/\") || (CLIENT.IP.SRC.IN_SUBNET(192.168.0.0/16) && http.REQ.URL.CONTAINS(\"manageotp\"))" -action securemysitedev_UG_CSACT
bind cs vserver securemysitedev_CS -policyName securemysitedev_UG_CSPOL -priority 63000
add authentication Policy sldap_mysite -rule "HTTP.REQ.BODY(500).AFTER_STR(\"domain=\").CONTAINS(\"mysite\")" -action mysite_dc_lb_vs_pwd
add authentication Policy IS_MFA_YES -rule "http.REQ.USER.IS_MEMBER_OF(\"MFA_required\")" -action NO_AUTHN
add authentication Policy NON-MFA_USERS_AUTH_POL -rule true -action NO_AUTHN
add authentication policylabel CHECK_GRPS -loginSchema NOSCHEMA
add authentication policylabel MFA_USERS_NOPWDFIELD -loginSchema MFA_NO_PWD_FIELD
add authentication policylabel MFA_NO_PWD_FIELD_NOCREDINDEX -loginSchema MFA_NO_PWD_FIELD_NOCREDINDEX
bind authentication policylabel CHECK_GRPS -policyName IS_MFA_YES -priority 100 -gotoPriorityExpression NEXT -nextFactor MFA_NO_PWD_FIELD_NOCREDINDEX
bind authentication policylabel CHECK_GRPS -policyName NON-MFA_USERS_AUTH_POL -priority 110 -gotoPriorityExpression END
bind authentication policylabel MFA_NO_PWD_FIELD_NOCREDINDEX -policyName ldap_mysite_OTPvalidation -priority 100 -gotoPriorityExpression END
add vpn sessionAction UG_VPN_SAct_10.10.10.32 -transparentInterception ON -defaultAuthorizationAction ALLOW -SSO ON -ClientChoices ON -clientlessVpnMode ON
add vpn sessionAction AC_OS_10.10.10.32 -transparentInterception OFF -defaultAuthorizationAction ALLOW -SSO ON -ssoCredential SECONDARY -icaProxy ON -wihome "https://storefrontdev.mysite.com/Citrix/mysiteDevWeb/" -ClientChoices OFF -clientlessVpnMode ON -storefronturl "https://storefrontdev.mysite.com"
add vpn sessionAction AC_WB_10.10.10.32 -transparentInterception ON -defaultAuthorizationAction ALLOW -SSO ON -icaProxy OFF -wihome "https://storefrontdev.mysite.com/Citrix/mysiteDevWeb/" -ClientChoices OFF -clientlessVpnMode ON
add vpn sessionPolicy UG_VPN_SPol_10.10.10.32 true UG_VPN_SAct_10.10.10.32
add vpn sessionPolicy PL_OS_10.10.10.32 "HTTP.REQ.HEADER(\"User-Agent\").CONTAINS(\"CitrixReceiver\") && HTTP.REQ.HEADER(\"User-Agent\").CONTAINS(\"CitrixVPN\").NOT && HTTP.REQ.HEADER(\"User-Agent\").CONTAINS(\"NSGiOSplugin\").NOT" AC_OS_10.10.10.32
add vpn sessionPolicy PL_WB_10.10.10.32 "HTTP.REQ.HEADER(\"User-Agent\").CONTAINS(\"CitrixReceiver\").NOT" AC_WB_10.10.10.32
bind vpn vserver UG_VPN_securemysitedev -staServer "http://ctxdct02.mysite.com"
bind vpn vserver UG_VPN_securemysitedev -staServer "http://ctxdct01.mysite.com"
bind vpn vserver UG_VPN_securemysitedev -portaltheme mysite-RfWebUI
bind vpn vserver UG_VPN_securemysitedev -policy af_policy_UG_VPN_securemysitedev -priority 255 -gotoPriorityExpression END -type REQUEST
bind vpn vserver UG_VPN_securemysitedev -policy af_policy_UG_VPN_securemysitedev -priority 255 -gotoPriorityExpression END -type ICA_REQUEST
bind vpn vserver UG_VPN_securemysitedev -policy af_policy_UG_VPN_securemysitedev -priority 255 -gotoPriorityExpression END -type OTHERTCP_REQUEST
bind vpn vserver UG_VPN_securemysitedev -policy _cacheTCVPNStaticObjects -priority 10 -gotoPriorityExpression END -type REQUEST
bind vpn vserver UG_VPN_securemysitedev -policy _cacheOCVPNStaticObjects -priority 20 -gotoPriorityExpression END -type REQUEST
bind vpn vserver UG_VPN_securemysitedev -policy _cacheVPNStaticObjects -priority 30 -gotoPriorityExpression END -type REQUEST
bind vpn vserver UG_VPN_securemysitedev -policy _mayNoCacheReq -priority 40 -gotoPriorityExpression END -type REQUEST
bind vpn vserver UG_VPN_securemysitedev -policy _cacheWFStaticObjects -priority 10 -gotoPriorityExpression END -type RESPONSE
bind vpn vserver UG_VPN_securemysitedev -policy _noCacheRest -priority 20 -gotoPriorityExpression END -type RESPONSE
bind vpn vserver UG_VPN_securemysitedev -policy PL_OS_10.10.10.32 -priority 100 -gotoPriorityExpression NEXT -type REQUEST
bind vpn vserver UG_VPN_securemysitedev -policy PL_WB_10.10.10.32 -priority 110 -gotoPriorityExpression NEXT -type REQUEST
bind vpn vserver UG_VPN_securemysitedev -policy UG_VPN_SPol_10.10.10.32 -priority 58000 -gotoPriorityExpression NEXT -type REQUEST
bind vpn vserver UG_VPN_securemysitedev -policy securemysitedev_OTP-TrafficPolicy -priority 100 -gotoPriorityExpression END -type REQUEST
bind authentication vserver ug_aaa_dd_vs -policy lschema_domain_drop_2domain_pol_pwdcred1 -priority 100 -gotoPriorityExpression END
bind authentication vserver ug_aaa_dd_vs -policy sldap_mysite -priority 100 -nextFactor CHECK_GRPS -gotoPriorityExpression NEXT
 

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...