Jump to content
Welcome to our new Citrix community!

Has anyone integrated AD & Azure MFA (without AD FS) as 2-Factor solution for Citrix Gateway access to on-prem CVAD?


Ken Z

Recommended Posts

Hi

 

I've got a working Citrix CVAD 1912 farm with NetScaler ADC as the front end for remote users, using single factor authentication using on-prem Active Directory.

I've already got Office 365/Microsoft 354 E5 licenses with Azure AD Connect installed and working, syncing accounts and passwords to Office 365.

I want to leverage Azure MFA as the 2nd Factor on the NetScaler.

I don't want to install AD FS onto the environment.


I've done it in the past for a pure RDS Farm by configuring the RDGateway/RDWeb services to use the Azure NPS Extensions talking to Ofifce365, so I believe I've got the NPS plus Extensions installed correctly, and the NetScaler can talk to the NPS server when creating the RADIUS policy, but I can't get it to authenticate. (NOTE I've got my test account configured correctly for MFA as i can log onto my Office365 account using Azure MFA, and I can log onto the NetScaler with it if i disable the secondary RADIUS authentication on it.)

 

Can anyone suggest a good reference article on how to achieve this?

 

Regards

 

Ken Z

Link to comment
Share on other sites

Hi,

 

I have some questions to understand your problem in more detail:

  • Are you using Citrix Gateway Classic or nFactor Design?
  • Is Windows Network Policy Server with Azure MFA plugin installed? Internet connectivity is required.
  • Our users are connected to Azure AD and enabled for Azure MFA? 

Maybe you can share your Netscaler configuration for the gateway/radius configuration. Did you see any log entries when logging in (aaad.log)?

 

If you have problems with NPS installation, you can try my automation script:

https://github.com/DanielWep/InstallScript-for-AzureMFA-NPS

 

Cheers,
Daniel

https://danielweppeler.de

 

 

 

Link to comment
Share on other sites

21 minutes ago, Daniel Weppeler1709159306 said:

Hi,

 

I have some questions to understand your problem in more detail:

  • Are you using Citrix Gateway Classic or nFactor Design?
  • Is Windows Network Policy Server with Azure MFA plugin installed? Internet connectivity is required.
  • Our users are connected to Azure AD and enabled for Azure MFA? 

Maybe you can share your Netscaler configuration for the gateway/radius configuration. Did you see any log entries when logging in (aaad.log)?

 

If you have problems with NPS installation, you can try my automation script:

https://github.com/DanielWep/InstallScript-for-AzureMFA-NPS

 

Cheers,
Daniel

https://danielweppeler.de

 

 

 

Dan

 

I've already mentioned in my post that I've installed NPS + the extensions before, and I'm happy that that bit works. It's got internet connectivity, because that was needed during installation.

I've also mentioned in my post that my test account is set up correctly for MFA authentication to Azure AD

Your first question is relevant... I've also got a 2FA autentication virtual server set up, using on-prem AD and RSA Authentication Manager, which is using Basic Authentication (Classic) rather than Authentication Profiles (Default/nFactor), and I was just trying to do a duplicate of that, replacing the 2nd Factor with a new RADIUS authentication pointing to the NPS Server.

 

I've currently investigating apain757's link, but that requires a SAML configuration. I was hoping to keep the config as simple as possible (big believer in the KISS principle), but if that's the only way....

 

Regards

 

Ken Z

 

Link to comment
Share on other sites

Hi Guys

 

thanks for everyone's responses. A few more details on my setup...

I used the following guide for settings up NPS... https://lalmohan.co.nz/2020/06/08/integrate-azure-mfa-with-netscaler-gateway-for-two-factor-authentication/

 

This appeared to indicate that i could use NetScaler + NPS + Extensions without SAML, AD FS, etc, which is what I was trying to achieve.

I'm using Basic (classic) Authentication rather than NFactor/Authentication Policies (but that's another issue).

Primary Authentication is LDAPS. Secondary authentication is RADIUS.

If i remove the secondary autentication, my test user can log on successfully to the NetScaler.

Additionally, my test user can log onto portal.office.com successfully using MFA, so to me that indicates that their account in AD is good, and their Azure MFA is also set up correctly.

 

When enabling RAIDUS auth as the 2nd authentication on NetScaler and looking at the AuthZ\AuthZOptCh event logs, i'm seeing the following when trying to authenticate

 

NPS Extension for Azure MFA: NPS Extension for Azure MFA only performs Secondary Auth for Radius requests in AccessAccept State. Request received for User *********** with response state AccessReject, ignoring request.

 

So the NPS server is getting the request, but thinks that the primary auth hasn't succeeded (it has, according to aaad.debug).

 

Still investigating...

 

Regards

 

Ken Z

 

Link to comment
Share on other sites

Some more info...

 

Running the NPS Extension Health check script (https://docs.microsoft.com/en-us/samples/azure-samples/azure-mfa-nps-extension-health-check/azure-mfa-nps-extension-health-check/) and running test (0) indicates that the issue is with the NPS Server and not the MFA extensions...

 

NOTE: I'd also applied the regkey shown here earlier in the day from an article that implied MSCHapsv2 error 691 might be being caused by that...

https://docs.microsoft.com/en-US/troubleshoot/windows-server/networking/lt2p-ipsec-ras-vpn-connections-fail

 

Finally, after rebooting the NPS server and setting the RADIUS as the first authentication entry, I'm still getting the same error

 

NPS Extension for Azure MFA: NPS Extension for Azure MFA only performs Secondary Auth for Radius requests in AccessAccept State. Request received for User *********** with response state AccessReject, ignoring request.

 

Need to get down to the bottom of why it NPS is telling the Extensions that the user isn't authenticated...

 

Regards

 

Ken Z

 

Link to comment
Share on other sites

Guys,

 

thank you all for your input, and apologies for the delay in responding.

 

I was setting this up for a customer who has an MPX5901 with a standard platform license, so the AAA feature was not licensed, which is why I had to use Basic Authentication.

Secondly, they told me that all all relevant firewall ports had been opened up between the NPS server and Azure).

 

I've spent the last 24 hours setting up a duplicate configuration in my test lab (same firmware NetScaler, same license, full build of CVAD 1912 CU2, different office tenancy but with MFA enabled on the test account - Mobile app authentication set, so no need to use passcode), but the main difference is that there is no filtering configured outbound from my test lab.

 

Using the article https://lalmohan.co.nz/2020/06/08/integrate-azure-mfa-with-netscaler-gateway-for-two-factor-authentication and following it exactly step by step, the Azure MFA authentication now works through the NetScaler (without SAML), so it looks like a firewall/communications issue on the customer site.

 

If anyone else needs a simple, Azure MFA-enabled NetScaler authentication solution, i would recommend the above article, but bear in mind outbound communications.

 

Regards

 

Ken Z

 

Link to comment
Share on other sites

On 2/2/2021 at 1:32 PM, Carl Stalhood1709151912 said:

Is the ADC NSIP added as a RADIUS client on the NPS server?

Carl 

 

it looks like the problem turned out to be outbound filtering stopping the NPS communicating with Azure properly...

 

regards

 

Ken Z

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...