Jump to content
Welcome to our new Citrix community!

Fortinet Radius And Citrix ADC Push Notification


Recommended Posts

We use a radius authentication with the Forti Radius Server. This also works great when a token is entered into the field. Now we want a push to the mobile phone if we leave the field empty. But exactly that does not happen. Do you need any special settings on the ADC?

 

The message on the login page with the second factor obviously comes directly from the Radius server:

"Enter token code or no code to send a notification to your FortiToken Mobile"

 

Anyone have any suggestions? 

 

04-06-_2020_11-04-11.png

Link to comment
Share on other sites

That should be handled by the Forti server. I suggest that you turn on the authentication daemon by opening up a PuTTY session to the management IP of the ADC, and then entering:
 

shell

cat /tmp/aaad.debug

That will show you the traffic from the NetScaler to LDAP and then to the Forti server. You should see traffic being sent when you hit enter above with a blank token code. Then it's up to the Forti server to send out the push. If it's not sending it out, you might need to get their tech support involved.

Link to comment
Share on other sites

I have the log from the ADC. but I think it might be the ADC after all. Because the Forti server reports that an FTM push trigger should be sent. But apparently that's not happening.  Maybe something needs to be changed on the ADC? Thank you.

 

Log from the Forti server:

This is a response to Access-Challenge

Check if request contains FTM push trigger

Request contains token code

 

Log from the Citrix ADC:

/home/build/rs_121_55_4_RTM/usr.src/netscaler/aaad/radius_drv.c[772]: continue_radius_auth 0-66110: RADIUS auth: Starting RADIUS authentication for user e******* @ xx.4.32.xxx
Fri Jun  5 10:56:32 2020
 /home/build/rs_121_55_4_RTM/usr.src/netscaler/aaad/radius_drv.c[671]: make_radius_request 0-66110: RADIUS auth: Making radius request for user e*******
Fri Jun  5 10:56:32 2020
 /home/build/rs_121_55_4_RTM/usr.src/netscaler/aaad/naaad.c[5662]: register_timer 0-66110: setting timer 4919
Fri Jun  5 10:56:32 2020
 /home/build/rs_121_55_4_RTM/usr.src/netscaler/aaad/radius_drv.c[2061]: process_radius 0-66110: Got RADIUS event
Fri Jun  5 10:56:32 2020
 /home/build/rs_121_55_4_RTM/usr.src/netscaler/aaad/naaad.c[5739]: unregister_timer 0-66110: releasing timer 4919
Fri Jun  5 10:56:32 2020
 /home/build/rs_121_55_4_RTM/usr.src/netscaler/aaad/radius_drv.c[2195]: process_radius 0-66110: RADIUS auth: RADIUS challenges : e*******
Fri Jun  5 10:56:33 2020
 /home/build/rs_121_55_4_RTM/usr.src/netscaler/aaad/naaad.c[696]: main 0-0: timer 2 firing...
Fri Jun  5 10:56:33 2020
 /home/build/rs_121_55_4_RTM/usr.src/netscaler/aaad/naaad.c[901]: process_kernel_socket 0-66111: partition id is 0
Fri Jun  5 10:56:33 2020
 /home/build/rs_121_55_4_RTM/usr.src/netscaler/aaad/radius_drv.c[671]: make_radius_request 0-66111: RADIUS auth: Making radius request for user e*******
Fri Jun  5 10:56:33 2020
 /home/build/rs_121_55_4_RTM/usr.src/netscaler/aaad/naaad.c[5662]: register_timer 0-66111: setting timer 4920
Fri Jun  5 10:56:34 2020
 /home/build/rs_121_55_4_RTM/usr.src/netscaler/aaad/radius_drv.c[2061]: process_radius 0-66111: Got RADIUS event
Fri Jun  5 10:56:34 2020
 /home/build/rs_121_55_4_RTM/usr.src/netscaler/aaad/naaad.c[5739]: unregister_timer 0-66111: releasing timer 4920
Fri Jun  5 10:56:34 2020
 /home/build/rs_121_55_4_RTM/usr.src/netscaler/aaad/radius_drv.c[2177]: process_radius 0-66111: Received RAD_ACCESS_REJECT for: e*******
Fri Jun  5 10:56:34 2020
 /home/build/rs_121_55_4_RTM/usr.src/netscaler/aaad/radius_drv.c[2020]: process_rad_reject 0-66111: RADIUS auth: Processing RADIUS reject for user e*******, MS Attr: 26
Fri Jun  5 10:56:34 2020
 /home/build/rs_121_55_4_RTM/usr.src/netscaler/aaad/radius_drv.c[2020]: process_rad_reject 0-66111: RADIUS auth: Processing RADIUS reject for user e*******, MS Attr: 17
Fri Jun  5 10:56:34 2020
 /home/build/rs_121_55_4_RTM/usr.src/netscaler/aaad/radius_drv.c[2020]: process_rad_reject 0-66111: RADIUS auth: Processing RADIUS reject for user e*******, MS Attr: 16
Fri Jun  5 10:56:34 2020
 /home/build/rs_121_55_4_RTM/usr.src/netscaler/aaad/radius_drv.c[2020]: process_rad_reject 0-66111: RADIUS auth: Processing RADIUS reject for user e*******, MS Attr: 7
Fri Jun  5 10:56:34 2020
 /home/build/rs_121_55_4_RTM/usr.src/netscaler/aaad/radius_drv.c[2020]: process_rad_reject 0-66111: RADIUS auth: Processing RADIUS reject for user e*******, MS Attr: 8
Fri Jun  5 10:56:34 2020
 /home/build/rs_121_55_4_RTM/usr.src/netscaler/aaad/radius_drv.c[2184]: process_radius 0-66111: RADIUS auth: Authentication failed for user e******* from server xx.4.32.xxx - Invalid Credentials
Fri Jun  5 10:56:34 2020
 /home/build/rs_121_55_4_RTM/usr.src/netscaler/aaad/naaad.c[4781]: send_reject_with_code 0-66111: Not trying cascade again 4001
Fri Jun  5 10:56:34 2020
 /home/build/rs_121_55_4_RTM/usr.src/netscaler/aaad/naaad.c[4783]: send_reject_with_code 0-66111: sending reject to kernel for : e*******
Fri Jun  5 10:56:34 2020
 /home/build/rs_121_55_4_RTM/usr.src/netscaler/aaad/naaad.c[4801]: send_reject_with_code 0-66111: Rejecting with error code 4001

Link to comment
Share on other sites

I think you need to speak to their tech support. Their message seems to imply that you simply press enter to have a push sent, but it is clearly rejecting the blank, thinking that you entered a token code, and is explicitly rejecting it. Maybe you need to enter the words "No code" into the field ...?? Leaving it blank is obviously not working.

Link to comment
Share on other sites

  • 2 weeks later...
On 6/8/2020 at 3:56 PM, Andreas Nick said:

Thanks Sam, we first opened a ticket at Forti and see what happens.

 

 

I did the same 1 year ago. But got no solution for the problem. I see other Vendors changed the Login GUI of the Netscaler to choose the Login with Push/Passcode....

but i still wait for a solution with the push token.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...