Jump to content
Welcome to our new Citrix community!

Customize password label on Radius dialog nFactor


Recommended Posts

Hello,

 

we are using Citrix Netscaler ADC 12.1 with two factor authentification via nFactor. 

After logon via username und LDAP password, the next screen showes up to enter the token-code sent via Radius.

 

In the screen to enter the token-code there is still "password" (or here in german Kennwort / see attached screenshots).

 

Is there a way to change password to token ? Some of our users tries to enter their LDAP password insteat of their token ;-( 

 

I can't find any way in the Netscaler configuration/login schema to change it.

 

Kind gerads
Jens

1_ldap.png

2_token.png

Link to comment
Share on other sites

Are you using nfactor policies or a portal theme?

 

If using a portal theme (default or other), you can create a custom instance and adjust username/password/token field names in the portal theme.  It has fields on the login page and the language tabs.

 

If you are using nfactor policies, then you want to look at your policy bindings first and see which loginschema is in use on the AAA vserver default binding or any next factors (aka policy labels).  You can then edit the login schema (or a custom copy) to change the name.

 

In the file system, default schemas are typically located:  /nsconfig/loginschema/LoginSchema (the second directory, though I may have reversed the case between the first and second reference). Typically, you don't customize the actual default files, but create a copy and move it up on level to the first directory and increment file name for your own sanity to: /nsconfig/loginschema/

Then you can reference the schema in the aaa vserver or policy labels.  Once a policy label has a login schema assigned you can't change the schema it references without creating a new next factor/policy label. But if the file it is referencing changes you can get an update.

 

Schema bindings look like policy bindings in the command line, so I tend to make sure my schema "policies" have lschema_<name> in the name, just to make it easy to find.

You can search your running config for references like:

show ns runningconfig | grep ".xml"   -i     ## should find any schema actions pointing to a specific xml file

show ns runningconfig | grep "authentication vserver <vservername>" -i           ## should let you see the complete aaa binding including its policies and default login schema if set

show ns runningconfig | grep "authentication policylabel" -i                                    ## should find any next factors created so you can also see if any schema is in use. 

 

Once you identify the schema, you can use the GUI's schema editor to make simple cosmetic edits to the file in question.  Be sure to highlight schema you need to use and then click "select" to set the new file reference.

So go to  the loginschema under the AAA - Application Traffic feature.  

Choose loginschema > action.  Select a schema "action" in question and choose "edit" to get to the gui editor.

 

 

If your AAA config was built with the Nfactor Visualizer, then you may have to edit from the "flow" pane instead.

 

Link to comment
Share on other sites

Thank you for your detailed answer. We've tried to customize the loginschema as described. But didn't get it work. 

We use the nfactor policies and uses SingleAuthDoPush.xml as "Authentication Schema". But there is no way to customize the second screen after "username/password". 
So we think the entries made in die XML were used via Javascript in the next page.

 

What we can't figure out is, what schema is used for the second screen after username/password. (see screenshot were LSCHEMA_INT has noschema).

 

Or do you have any other ideas ?

Here is the output of the cli:

> show ns runningconfig | grep ".xml"   -i
add authentication loginSchema TokenAuthPush -authenticationSchema "/nsconfig/loginschema/LoginSchema/SingleAuthDoPush.xml" -userExpression "AAA.USER.ATTRIBUTE(1)" -passwdExpression "AAA.USER.ATTRIBUTE(2)" -userCredentialIndex 1 -passwordCredentialIndex 2 -SSOCredentials YES
bind cmp global ns_adv_nocmp_xml_ie -priority 8700 -gotoPriorityExpression END -type RES_DEFAULT
add appfw XMLContentType ".*/xml" -isRegex REGEX
add appfw XMLContentType ".*/.*\\+xml" -isRegex REGEX
add appfw XMLContentType ".*/xml-.*" -isRegex REGEX
> show ns runningconfig | grep "authentication vserver <VSERVER>" -i
add authentication vserver VSERVERSSL 0.0.0.0
bind authentication vserver VSERVER -portaltheme RuV-BKK-CI
bind authentication vserverVSERVER -policy TokenAuthPush -priority 100 -gotoPriorityExpression END
bind authentication vserver VSERVER  -policy AAA-LDAP -priority 100 -nextFactor SCHEMA_RADIUS -gotoPriorityExpression NEXT
> show ns runningconfig | grep "authentication policylabel" -i
add authentication policylabel SCHEMA_RADIUS -loginSchema LSCHEMA_INT
bind authentication policylabel SCHEMA_RADIUS -policyName AAA-Radius -priority 100 -gotoPriorityExpression END

loginschema.png

Link to comment
Share on other sites

lschema_int is the default implicit schema and will be used in some cases.

If you had no schema defined at all, but you had a single factor ldap policy on the authentication vserver, it would default to a username/password prompt.

If you had an ldap/radius policy bound but no schema, it would default to the default username/password/token schema.

It looks like in your case it is then default to the username/password and then a seprate radius prompt.

 

You're not going to change the lschema_int.  For details, see this article:

https://support.citrix.com/article/CTX222713  (see section where it defines lschema_int and then the "passthrough factor/label" section. 

Basically, your config is relying on a default "implicit" behavior and schemas that don't point to xml files (or not ones you can edit).

 

So, if you want to change the "implicit" behavior; the easiest way is to create your own schema instances and explicitly bind them instead of relying on the "default" behavior.

  • Create a schema for the radius prompt using a custom copy of the singleauth.xml schema and then edit the "password" field name.
  • Create a new policylabel/next factor bind point and assign the radius schema to it.  Then bind the "radius authe policy" to this policy label.
  • Change your ldap policy binding on the authe vserver to now point to the new policy label as its "next factor".
  • If you want to make changes to the username/password field (OR change it to one prompt) then additional changes are needed.

So, question:

1) [Opt A]:  Do you want to do a single prompt for username/password/radius as one interface (it would still be a two factor authentication requirement)?

2) [Opt B] Or do you want the two-stage login where users get username/password first and then a second screen for radius token only?  This would be done similar to your current implementation but you would need to point to your own separate custom schema for the second pass.  A little harder than Option A.

 

There's several variations. I've grabbed a few examples of nfactor below. None of them are your exact scenario; they tend to do more. But the pieces should give you examples.

This article does more than you need, but it does have an example of a user login page with username/password/radius as a two factor binding. You would just skip the initial group extraction and other scenarios:  https://support.citrix.com/article/CTX220793.  Shows the parts relevant to [Opt A] though.

Carl Stalhood has other examples:  https://www.carlstalhood.com/nfactor-authentication-citrix-gateway-13/

Additional radius example (but with name format conversion); but the radius is done after the username/password is processed:  https://support.citrix.com/article/CTX231525  (so, not exactly what you need, but in the ball park). Closer to flow described in [Opt B].

 

Link to comment
Share on other sites

Thanks a lot. That's it. We could'nt find any way to change the default schema. You've explained us why.

 

We're using option B so first username/password, after that the user receives an tokencode to enter in the radius page.

 

We now have tried out as described, but no token is sent using any other schema than noschema. Also using a none modified
schema (like SingleAuth.xml or something else) no token was sent via RADIUS. Revert to noschema the token was sent
via RADIUS. Strange.

 

By that way, do you know where to set the default-timeout in nfactor when radius tokenpage stops because of inactivity ?
We've count it and it must be 3 minutes. But nowhere we can find similar timeouts in any configuration. (see attachment)

1_eng_err_token.png

2_eng_err_token.png

3_eng_err_token.png

Link to comment
Share on other sites

Here we are:

 

> show authentication vserver XXXX_XXXX_MFA_AAA
        XXXXX_XXXXX_MFA_AAA (0.0.0.0:0) - SSL       IPSet: ???      Type: CONTENT 
        State: UP  ARP:DISABLED
        Client Idle Timeout: 180 sec
        Down state flush: DISABLED
        Disable Primary Vserver On Down : DISABLED
        HTTP profile name: nshttp_default_profile
        Network profile name: ???
        Appflow logging: ENABLED
        Authentication : ON
        Device Certificate Check: ???
        CGInfra Homepage Redirect : ???
        Current AAA Sessions: 0
        Total Connected Users: 0
        Dtls : ???      L2Conn: ???
        RDP Server Profile Name: ???
        Max Login Attempts: 5    Failed Login Timeout 3
        Fully qualified domain name: ???
        PCoIP VServer Profile Name: ???
        Listen Policy: NONE
        Listen Priority: 0
        IcmpResponse: ???
        RHIstate:  ???
        Traffic Domain: 0

1)      LoginSchema Policy Name: XXX_TokenAuthPush      Priority: 100
        GotoPriority Expression: END

1)      Advanced Authentication Policy Name: AAA-LDAP   Priority: 100
        GotoPriority Expression: NEXT
        NextFactor name: SCHEMA_RADIUS_NFACTOR

1)      PortalTheme: XXX-XXX-CI
 

> show authentication loginschema
8)      Name: XXX_TokenAuthPush
        Authentication Schema: /nsconfig/loginschema/LoginSchema/SingleAuthDoPush.xml
        Username expression: AAA.USER.ATTRIBUTE(1)
        Password expression: AAA.USER.ATTRIBUTE(2)
        Username Index: 1
        Password Index: 2
        SSO Credentials: YES

9)      Name: SCHEMA_RADIUS_NFACTOR
        Authentication Schema: /nsconfig/loginschema/XXXTokenOnly.xml
        Username expression: 
        Password expression: 
        SSO Credentials: NO

 

> show authentication policy
1)      Name: AAA-LDAP
        Hits: 1174
        Undef Hits: 0
        Active: Yes

2)      Name: AAA-Radius
        Hits: 235
        Undef Hits: 0
        Active: Yes
 

> show authentication policylabel
1)      Label Name: SCHEMA_RADIUS
        Type: AAATM_REQ
        Number of bound policies: 1
        Number of times invoked: 215
        Login schema: LSCHEMA_INT

2)      Label Name: SCHEMA_RADIUS_NFACTOR
        Type: AAATM_REQ
        Number of bound policies: 1
        Number of times invoked: 20
        Login schema: SCHEMA_RADIUS_NFACTOR


Hope it helps you - we have tested it also with a default loginschema like OnlyPassword.xml and so on. But no token-code was sent. 
Only using "noschema" as authentication schema works :-(

 

Link to comment
Share on other sites

What I need to see on the policy bindings: which vserver or policy label they are on and what next-factor is specified if any to make sure your flow is correct.

 

# for your ldap and radius policy

show ns runningconfig | grep <policyname> -i

I just need the bind commands and not the policy actions to confirm info.

 

 

Link to comment
Share on other sites

Hope that this is the information you need:

> show ns runningConfig | grep AAA-RADIUS -i
add authentication Policy AAA-Radius -rule true -action x.x.x.x_RADIUS
bind authentication policylabel SCHEMA_RADIUS -policyName AAA-Radius -priority 100 -gotoPriorityExpression END
bind authentication policylabel SCHEMA_RADIUS_NFACTOR -policyName AAA-Radius -priority 100 -gotoPriorityExpression END

 

> show ns runningConfig | grep AAA-LDAP -i
add authentication Policy AAA-LDAP -rule true -action x.x.x.x_LDAP
bind authentication vserver XXXXXXXX_MFA_AAA -policy AAA-LDAP -priority 100 -nextFactor SCHEMA_RADIUS_NFACTOR -gotoPriorityExpression NEXT
bind authentication vserver XXXXXXXX_MFA_AAA -policy AAA-LDAP -priority 100 -nextFactor SCHEMA_RADIUS -gotoPriorityExpression NEXT
 

Link to comment
Share on other sites

This should help and I'll try to mock up some examples later. I know we can do it as the double auth schema, where we get ldap user/password/token on one screen and still do two factor authentication. We do this all the time.  I have to test if we can separate the radius prompt to the second authe event.

 

What is the difference here, are these different vservers?

36 minutes ago, Jens Strohschnitter1709152492 said:

bind authentication vserver XXXXXXXX_MFA_AAA -policy AAA-LDAP -priority 100 -nextFactor SCHEMA_RADIUS_NFACTOR -gotoPriorityExpression NEXT
bind authentication vserver XXXXXXXX_MFA_AAA -policy AAA-LDAP -priority 100 -nextFactor SCHEMA_RADIUS -gotoPriorityExpression NEXT
 

 

Depending on what is actually going on in the above, you might be missing the ldap, then radius invocation.   Regardless I think I can get you an example to follow.

(because schemas bind looking like policies; and I can't tell if this is one vserver or two; things look a little confusing in it. But this is close enough I think.)

 

Link to comment
Share on other sites

Sorry for confusing. Yes these are two seperate vservers. The changes with the loginschema as described by you above are only set in this vserver:

bind authentication vserver XXXXXXXX_MFA_AAA -policy AAA-LDAP -priority 100 -nextFactor SCHEMA_RADIUS_NFACTOR -gotoPriorityExpression NEXT

The other one is still running with "noschema".


PS:
We do need a second screen for the RADIUS because the token was sent (via SMS or E-Mail) by RADIUS only if in the first screen LDAP authentication is correct.

Link to comment
Share on other sites

  • 4 months later...

Hi Jens, made some progress - found the text is located in /var/netscaler/logon/LogonPoint/receiver/js/ctxs.core.min.js

 

If you do a search for ns_dialogue:"Password"

 

image.thumb.png.a8ccb79c321b948220c76d0a73afa409.png

 

For testing, I changed the text to something random and the text appeared on the RADIUS challenge screen.  From my interpretation the RADIUS challenge is outside of the nFactor setup hence there's no option to change it in the GUI.

 

Just doing further testing to see if the text is used anywhere else in the logon flow but at this stage looks positive. 

 

Rob

Link to comment
Share on other sites

35 minutes ago, Robert Campbell1709154186 said:

Hi Jens, made some progress - found the text is located in /var/netscaler/logon/LogonPoint/receiver/js/ctxs.core.min.js

 

If you do a search for ns_dialogue:"Password"

 

image.thumb.png.a8ccb79c321b948220c76d0a73afa409.png

 

For testing, I changed the text to something random and the text appeared on the RADIUS challenge screen.  From my interpretation the RADIUS challenge is outside of the nFactor setup hence there's no option to change it in the GUI.

 

Just doing further testing to see if the text is used anywhere else in the logon flow but at this stage looks positive. 

 

Rob

Hi Jens, found a better solution for the edit so it's localised the theme applied - location the theme folder /var/netscaler/logon/themes/CUSTOMTHEME/ where CUSTOMTHEME is your applied theme, there are some strings."language".json files.  If you add the ns_dialogue label with your desired text into these the text will change.

 

e.g. to the respective .json file "ns_dialogue":"YOUR TEXT HERE"

image.thumb.png.7a967ead64a66f612c258ed9b82444dc.pngimage.thumb.png.fcdc0669c6540f1a8b22a276d0f30c11.png

  • Like 1
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...