Jump to content
Welcome to our new Citrix community!

Citrix Netscaler 12.1 OTP Scripted / CLI


Recommended Posts

We're trying to follow Carl's CLI but we already have our Netscaler Gateway configured for simple XenApp access and if we type in https://citrix.mycorp.com/manageotp we're redirected to the main logon page where it prompts us to enter Username, Password and Passcode instead of scanning in a code from our smartphone.

 

###START BASIC CONFIG

#1. WinSCP to NSIP and copy license file to /nsconfig/license
#2. WinSCP to NSIP and copy ssl.pfx to /nsconfig/ssl
#3. WinSCP to NSIP and copy intermediate.cer to /nsconfig/ssl
#4. SSH to NSIP - Set SNIP, set hostname, DNS servers and Time Zone
add ns ip 192.168.1.20 255.255.255.0 -vServer DISABLED
set ns hostName ns
add dns nameServer 192.168.1.10
#REM Additional DNS servers: add dns nameServer 192.168.1.11
set ns param -timezone "GMT-08:00-PST-America/Los_Angeles"
#REM Timezome New York: set ns param -timezone "GMT-05:00-EST-America/New_York"
#REM Timezome Chicago: set ns param -timezone "GMT-06:00-CST-America/Chicago"
save config
reboot
59. Disable Callhome, Disable CUXIP, Enable SSL, Enable Netscaler Gateway, Add SSL cert from PFX and link to Intermediate
disable ns feature ch
set system parameter -doppler disabled
enable ns feature SSL SSLVPN
add ssl certKey SSL -cert ssl.pfx -key ssl.pfx -inform PFX -password test1
add ssl certKey Intermediate -cert intermediate.cer
link ssl certKey SSL Intermediate
#6. Create LDAP server and Policy
add authentication ldapAction LDAP_Server -serverIP 192.168.1.10 -serverPort 389 -ldapBase "dc=mycorp,dc=com" -ldapBindDn ldapserviceacct@mycorp.com -ldapBindDnPassword Password987 -ldapLoginName sAMAccountName -groupAttrName memberOf -subAttributeName cn -secType PlainText -passwdChange ENABLED
#REM To filter user accounts which are permitted to logon by Active Directory group named CitrixUsersExternal
#REM set authentication ldapAction LDAP_Server -searchFilter "memberOf=CN=CitrixUsersExternal,OU=Groups,DC=mycorp,DC=com"
add authentication ldapPolicy LDAP_Pol NS_TRUE LDAP_Server
#7. Redirect HTTP to HTTPS
enable feature lb
add lb vserver http_redirect_to_ssl HTTP 192.168.1.22 80 -persistenceType NONE -redirectURL "https://citrix.mycorp.com" -cltTimeout 180
#8. Create Virtual Server for Netscaler Gateway and set SSL protocols
add vpn vserver VirtualServer SSL 192.168.1.22 443 -icaOnly ON -Listenpolicy NONE -tcpProfileName nstcp_default_XA_XD_profile -deploymentType ICA_STOREFRONT -vserverFqdn citrix.mycorp.com
set ssl vserver VirtualServer -ssl3 DISABLED -tls1 DISABLED -tls11 DISABLED -tls12 ENABLED -tls13 ENABLED -HSTS ENABLED -maxage 157680000
#9. Create Secure Cipher Suite
add ssl cipher SecureCiphers
bind ssl cipher SecureCiphers -cipherName TLS1.3-CHACHA20-POLY1305-SHA256 -cipherPriority 1
bind ssl cipher SecureCiphers -cipherName TLS1.3-AES128-GCM-SHA256 -cipherPriority 2
bind ssl cipher SecureCiphers -cipherName TLS1.3-AES256-GCM-SHA384 -cipherPriority 3
bind ssl cipher SecureCiphers -cipherName TLS1.2-ECDHE-ECDSA-AES256-SHA384 -cipherPriority 4
bind ssl cipher SecureCiphers -cipherName TLS1.2-ECDHE-ECDSA-AES256-GCM-SHA384 -cipherPriority 5
bind ssl cipher SecureCiphers -cipherName TLS1-ECDHE-ECDSA-AES256-SHA -cipherPriority 6
bind ssl cipher SecureCiphers -cipherName TLS1.2-DHE-RSA-AES256-GCM-SHA384 -cipherPriority 7
bind ssl cipher SecureCiphers -cipherName TLS1.2-ECDHE-ECDSA-AES128-GCM-SHA256 -cipherPriority 8
bind ssl cipher SecureCiphers -cipherName TLS1.2-ECDHE-RSA-CHACHA20-POLY1305 -cipherPriority 9
bind ssl cipher SecureCiphers -cipherName TLS1.2-ECDHE-ECDSA-CHACHA20-POLY1305 -cipherPriority 10
bind ssl cipher SecureCiphers -cipherName TLS1.2-ECDHE-RSA-AES256-GCM-SHA384 -cipherPriority 11
#10. Bind vServer to Secure Cipher Suite
bind ssl vserver VirtualServer -cipherName SecureCiphers
unbind ssl vserver VirtualServer -cipherName DEFAULT
#11. Bind SSL to vServer
bind ssl vserver VirtualServer -certkeyName SSL
#12. Create Session Actions & Polices
add vpn sessionAction AC_OS_Receiver -transparentInterception OFF -defaultAuthorizationAction ALLOW -SSO ON -ssoCredential PRIMARY -icaProxy ON -wihome "https://storefront.mycorp.com/citrix/storeweb" -ClientChoices OFF -ntDomain mycorp.com -clientlessVpnMode OFF -storefronturl "https://storefront.mycorp.com" -sfGatewayAuthType domain
add vpn sessionAction AC_WB_Web -transparentInterception OFF -defaultAuthorizationAction ALLOW -SSO ON -ssoCredential PRIMARY -icaProxy ON -wihome "https://storefront.mycorp.com/citrix/storeweb" -ClientChoices OFF -ntDomain mycorp.com -clientlessVpnMode OFF -sfGatewayAuthType domain
add vpn sessionPolicy PL_OS_Receiver "HTTP.REQ.HEADER(\"User-Agent\").CONTAINS(\"CitrixReceiver\")" AC_OS_Receiver
add vpn sessionPolicy PL_WB_Web "HTTP.REQ.HEADER(\"User-Agent\").CONTAINS(\"CitrixReceiver\").NOT" AC_WB_Web
#13. Bind STA, LDAP and Session Policies
bind vpn vserver VirtualServer -staServer "http://storefront.mycorp.com"
bind vpn vserver VirtualServer -policy LDAP_Pol
bind vpn vserver VirtualServer -policy PL_OS_Receiver -priority 100 -gotoPriorityExpression NEXT -type REQUEST
bind vpn vserver VirtualServer -policy PL_WB_Web -priority 110 -gotoPriorityExpression NEXT -type REQUEST
###END BASIC CONFIG

 

 

###START OTP / ONE TIME PASSWORD CONFIG

#https://www.carlstalhood.com/netscaler-gateway-12-native-one-time-passwords-otp/#cli


add authentication ldapAction LDAP-Corp -serverIP 192.168.1.10 -serverPort 389 -ldapBase "dc=mycorp,dc=com" -ldapBindDn ctxsvc@mycorp.com -ldapBindDnPassword "CTXPassword123$" -ldapLoginName sAMAccountName -groupAttrName memberOf -subAttributeName cn -secType PlainText -passwdChange ENABLED -Attribute2 userParameters
add authentication ldapAction LDAP_OTP_set_no_auth -serverIP 192.168.1.10 -serverPort 389 -ldapBase "dc=mycorp,dc=com" -ldapBindDn ctxadmin@mycorp.com -ldapBindDnPassword "ADMINPassword123$" -ldapLoginName sAMAccountName -groupAttrName memberOf -subAttributeName cn -secType PlainText -authentication DISABLED -OTPSecret UserParameters
add authentication ldapAction LDAP_OTP_verify_no_auth -serverIP 192.168.1.10 -serverPort 389 -ldapBase "dc=mycorp,dc=com" -ldapBindDn ctxadmin@mycorp.com -ldapBindDnPassword "ADMINPassword123$" -ldapLoginName sAMAccountName -searchFilter "userParameters>=#@" -groupAttrName memberOf -subAttributeName cn -secType PlainText -authentication DISABLED -OTPSecret UserParameters
add authentication Policy Corp-Adv -rule true -action LDAP-Corp
add authentication Policy LDAP_Manage_OTP-pol -rule "HTTP.REQ.COOKIE.VALUE(\"NSC_TASS\").EQ(\"manageotp\")" -action LDAP_OTP_set_no_auth
add authentication Policy LDAP_Confirm_OTP-pol -rule true -action LDAP_OTP_verify_no_auth

add authenticationa loginSchema Dual_OTP-lschema -authenticationSchema "/nsconfig/loginschema/LoginSchema/DualAuth.xml" -passwordCredentialIndex 1
add authentication loginSchema Single_Manage_OTP-lschema -authenticationSchema "/nsconfig/loginschema/LoginSchema/SingleAuthManageOTP.xml"
add authentication loginSchemaPolicy Single_Manage_OTP-lschemapol -rule "http.req.cookie.value(\"NSC_TASS\").eq(\"manageotp\") && client.IP.SRC.IN_SUBNET(192.168.0.0/24)" -action Single_Manage_OTP-lschema
add authentication loginSchemaPolicy Dual_OTP-lschemapol -rule true -action Dual_OTP-lschema

add authentication policylabel OTP_pollabel -loginSchema LSCHEMA_INT
bind authentication policylabel OTP_pollabel -policyName LDAP_Manage_OTP-pol -priority 100 -gotoPriorityExpression NEXT
bind authentication policylabel OTP_pollabel -policyName LDAP_Confirm_OTP-pol -priority 110 -gotoPriorityExpression NEXT 

enable ns feature AAA
add authentication vserver OTP-AAA SSL 0.0.0.0
bind ssl vserver OTP-AAA -certkeyName SSL

bind authentication vserver OTP-AAA -portaltheme RfWebUI
bind authentication vserver OTP-AAA -policy Single_Manage_OTP-lschemapol -priority 100 -gotoPriorityExpression END
bind authentication vserver OTP-AAA -policy Dual_OTP-lschemapol -priority 110 -gotoPriorityExpression END
bind authentication vserver OTP-AAA -policy Corp-Adv -priority 100 -nextFactor OTP_pollabel -gotoPriorityExpression NEXT

add vpn trafficAction OTP-trafficprofile http -passwdExpression "http.REQ.USER.ATTRIBUTE(1)"
#Above command should be updated to newer method using AAA.USER intead (figure out correct syntax)
add vpn trafficPolicy OTP-trafficpol true OTP-trafficprofile

add authentication authnProfile OTP-authnprofile -authnVsName OTP-AAA

#add vpn vserver Gateway.corp.com SSL 10.2.5.220 443 -downStateFlush DISABLED -Listenpolicy NONE -authnProfile OTP-authnprofile
set vpn vserver VirtualServer -downStateFlush DISABLED -Listenpolicy NONE -authnProfile OTP-authnprofile
set ssl vserver VirtualServer -sslProfile ns_default_ssl_profile_frontend
#add vpn sessionAction "Receiver For Web" -transparentInterception OFF -defaultAuthorizationAction ALLOW -SSO ON -icaProxy ON -wihome "https://storefront2.corp.com/Citrix/StoreWeb" -ntDomain corp.local -clientlessVpnMode OFF -storefronturl "https://storefront2.corp.com"
#add vpn sessionPolicy "Receiver For Web" "HTTP.REQ.HEADER(\"User-Agent\").CONTAINS(\"CitrixReceiver\").NOT" "Receiver For Web"
bind vpn vserver VirtualServer -portaltheme RfWebUI
bind vpn vserver VirtualServer -policy "Receiver For Web" -priority 100 -gotoPriorityExpression NEXT -type REQUEST
bind vpn vserver VirtualServer -policy OTP-trafficpol -priority 100 -gotoPriorityExpression END -type REQUEST


#Remove & Cleanup
unbind vpn vserver VirtualServer -policy LDAP_Pol

 

If we follow JG Spier's screen shots we get it to work, but we were hoping to entirely script it (error reduction):

 

1.  Configuration, Security, AAA - Application Traffic, Virtual Servers, Add, Name: authvs, IP address Type: Non Addressable, OK, Certificate, No Certificate, Server Certificate Binding (Select Server Certificate) Click to select >, Check SSL (anyone), Select, Bind, Close, Continue, Continue, + Portal Themes (on right side), Portal Theme (Select RfWebUI), OK, Done
2.  Configuration, Security, AAA - Application Traffic, Authentication Profile, Add, Name: otp_auth_vs, Authentication Host: citrix.mycorp.com, Authentication Virtual Server (Click to select) >, Check authvs, Select, Create
3.  Configuration, Citrix Gateway / Netscaler Gateway, Virtual Servers, Edit exiting virtual server, + Authentication Profile (on right side), select otp_auth_vs, OK, Done
4.  Configuration, Security, AAA - Application Traffic, Policies, Authentication, Advanced Polices, Policy, Add, Name: ldap_auth, Action Type: LDAP, Action, Add, Create Authentication LDAP Server, Name: ldap_auth, Server IP, IP address:  192.168.1.10, Security Type: PLAINTEXT, Port: 389, Server Type: AD, Base DN: dc=mycorp,dc=com, Administrator Bind DN: ctxadmin@mycorp.com, Administrator Password: ADMINPassword123$, Confirm Password: ADMINPassword123$, Press “Test LDAP Reachability”, Server Logon Name Attribute: sAMAccountName, Create, Expression: true, Create
5.  Configuration, Security, AAA - Application Traffic, Policies, Authentication, Advanced Polices, Policy, Add, Name: otp_validation, Action Type: LDAP, Action, Add, Create Authentication LDAP Server, Name: ldap_auth, Server IP, IP address:  192.168.1.10, Security Type: PLAINTEXT, Port: 389, Server Type: AD, Un-Check: Authentication, Base DN: dc=mycorp,dc=com, Administrator Bind DN: ctxadmin@mycorp.com, Administrator Password: ADMINPassword123$, Confirm Password: ADMINPassword123$, Press “Test LDAP Reachability”, Server Logon Name Attribute: sAMAccountName, OTP: Secret: userParameters, Create, Expression: true, Create
6.  Configuration, Security, Login Schema, Add, Name: otp_login, Profile: Add, Create Authentication Login Schema, Name: otp_dualauth, Authentication Schema: Click Pencil icon, Double Click LoginSchema Folder to expand list, Select: DualAuthOrOTPRegisterDynamic.xml, Create, Rule: true, Create
7.  Configuration, Security, Login Schema, Add, Name: otp_management, Profile: Add, Create Authentication Login Schema, Name: otp_management, Authentication Schema: Click Pencil icon, Double Click LoginSchema Folder to expand list, Select: SingleAuthManageOTP.xml, Create, Rule: http.REQ.COOKIE.VALUE("NSC_TASS").eq("manageotp"), Create
8. Configuration, Security, AAA - Application Traffic, Virtual Servers, Edit authvs, Advanced Authentication Policies, Click No Authentication Policy,  Policy Binding, Select Policy Binding >, Check ldap_auth, Select, Select Next Factor, Click to select >, Add, Name: otp_factor, Continue, Policy Binding, Select Policy, Click to select >, Check otp_validation, Select, Bind, Done, Check otp_factor, Select, Bind
9. Configuration, Security, AAA - Application Traffic, Virtual Servers, Edit authvs, + Login Schema (on right side), Login Schemas, Click No Login Schema, Policy Binding, Select Policy, Click to select >, Check otp_management, Select, Bind,  Login Schemas, Click 1 Login Schema, Authentication Login Schema Policy, Add Binding, Policy Binding, Select Policy, Click to select >, check otp_login, Select, Bind, Close, Done

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...