Jump to content
Welcome to our new Citrix community!

OTP not working correctly after adding whitelist restrictions

Matt Cameron

Recommended Posts

I am having OTP issues with both 1. registering devices and 2. actually signing in using a registered device that tested ok using the UI. I think they are both from the same issue but I will not claim to know what I am doing hence me being here. 


1. I have the /manageotp only accessible via an internal IP set which is managed by a dataset call ns_whitelist. Users can only access the site if they have not registered a device. i.e. The first time works fine and they can register a mobile device and the test works ok. When that same user tries to go back to the site they get "Try again or contact your help desk". In the output from /tmp/aaad.debug I see the successful ldap lookup and at the end 

receive_ldap_user_search_event 0-154: Authentication is disabled for user 'username', finishing ldap authentication

2. When challanged by the dual factor OTP schema the user just gets "Try again or contact your help desk". 


90% of this was set up using the instructions found: https://www.carlstalhood.com/netscaler-gateway-12-native-one-time-passwords-otp/ which was very helpful. The output from /tmp/aaad.debug looks very similar to the above with the same "error" message at the end. I can see the OTP secret attribute successfully being read. 


Not sure how much information is too much information here. My authentication policies are configure as such. I could easily be omitting important information but I don't want to lose people with a vomit of my config


add authentication Policy ba.net -rule true -action ldap_BA_auth
add authentication Policy ba.net_manage_OTP -rule "HTTP.REQ.COOKIE.VALUE(\"NSC_TASS\").EQ(\"manageotp\") && CLIENT.IP.SRC.TYPECAST_TEXT_T.CONTAINS_ANY(\"ns_whitelist\")" -action ldap_BA_no_auth
add authentication Policy ba.net_verify_OTP -rule true -action ldap_BA_OTP_no_auth
add authentication Policy ba.net_whitelist -rule "CLIENT.IP.SRC.TYPECAST_TEXT_T.CONTAINS_ANY(\"ns_whitelist\") ||true" -action ldap_BA_auth
add authentication Policy ba.net_blacklist -rule "!CLIENT.IP.SRC.TYPECAST_TEXT_T.CONTAINS_ANY(\"ns_whitelist\")" -action ldap_BA_OTP_no_auth

add authentication policylabel otp -loginSchema LSCHEMA_INT
bind authentication policylabel otp -policyName ba.net_manage_OTP -priority 100 -gotoPriorityExpression END
bind authentication policylabel otp -policyName ba.net_verify_OTP -priority 110 -gotoPriorityExpression NEXT

bind authentication vserver otp_aaa -portaltheme RfWebUI
bind authentication vserver otp_aaa -policy lschema_manage_otp -priority 80 -gotoPriorityExpression END
bind authentication vserver otp_aaa -policy auth_vs_10.90.1.102_443_whiteliset_schemapol -priority 90 -gotoPriorityExpression END
bind authentication vserver otp_aaa -policy lschema_dual_otp -priority 110 -gotoPriorityExpression END
bind authentication vserver otp_aaa -policy ba.net_manage_OTP -priority 100 -gotoPriorityExpression NEXT
bind authentication vserver otp_aaa -policy ba.net_blacklist -priority 110 -nextFactor otp -gotoPriorityExpression NEXT
bind authentication vserver otp_aaa -policy ba.net_whitelist -priority 120 -gotoPriorityExpression END

People can still sign in with pure LDAP as long as they are in my whitelist which is working fine as intended. 



Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...