Jump to content
Welcome to our new Citrix community!

Help to configure netscaler gateway 12 with 2FA DUO


Support SADIES

Recommended Posts

Hi everyone,

 

I have netscaler 12.1.65 standard edition and I want to configure 2fa with DUO

 

I saw this guide: http://arnaudpain.com/2020/09/08/citrix-gateway-and-duo-step-by-step-guide/#sthash.FSIJDgRg.dpbs

 

But I don't understand some concepts:

 

- I want to user only LDAP no server radius. I need to configure virtual server as "radius"?

- When I try to configure expression the system says that is deprecated....

Link to comment
Share on other sites

Thanks

 

I check but I have ADC VPX NS12.1.65 with standard licence.  I have production user with simple authentication and I want to add 2fa

 

I can' t view AAA policies and any option to Enable it.

 

I try to configure with https://duo.com/docs/citrix-netscaler#:~:text=Log in to the Duo,information to complete your setup.

 

But not works: same message warning "classic authentication policies are deprecated. Please use advanced authentication policies(i.e. add/set authentication policy)

 

I need to configure Advanced Authentication here? 

image.thumb.png.7e35be7c6a2b65519d1f428a02920429.png

 

Is not possible to use Duo with my version of netscaler?

Link to comment
Share on other sites

42 minutes ago, Carl Stalhood1709151912 said:

On the right is Authentication Profile. Add it. Add a new Authentication Profile. It will ask you for an Authentication Virtual Server. Click Add to create one.

I add authentication in Authentication/Dashboard section and bind to vs

image.thumb.png.ef3c52693463acdcd68f06e60fa10e98.png

For your authentication profile i have:

 

image.thumb.png.b60af13c2323bde19a2743b0fe167b0e.png

 

I dont know how configure it...

 

I use this guide https://duo.com/docs/citrix-netscaler#configure-the-proxy-for-your-citrix-gateway and I obtain de login a prompt for duo like this:

image.thumb.png.63e817e630fb35bc0c9a7548735e6c2b.png

 

I can login but after a pop-up and this message appears:

image.thumb.png.ab4ed18361dc72963f49a48ea0e57766.png

 

is something about the Content-Security-Policy header.?

 

Thanks a lot a lot for your help

 

 

 

Link to comment
Share on other sites

4 hours ago, Carl Stalhood1709151912 said:

Authentication Virtual Server should be Non-Addressable.

 

You should have a Gateway Session Policy/Profile that enables ICA Proxy and has the address of your StoreFront store. This is typical configuration for ICA Proxy.

Ok I create two new policies and type 'NS_TRUE' in the authenthication radius Policy.

In my storefront I need to chang auth to Domain and security token.?

 

Some updates. I can login use DUO but I have this error:

 

image.thumb.png.4942dd5d1b4249c768604d2263e92672.png

 

Same error with another user not present in duo. It's a maybe error to contact ldap?

If I try username and random password I have the normal error:

 

image.thumb.png.807161e2e1f1d1aa0cbe6cc58bbe95b2.png

 

I have another Virtual Server Gateway in production (without DUO) and all works fine.

Link to comment
Share on other sites

On 1/18/2023 at 8:29 PM, Carl Stalhood1709151912 said:

Duo is a RADIUS proxy server. You do LDAP as your first factor and then RADIUS for the Duo second factor. See https://duo.com/docs/citrix-netscaler-nfactor

 

Hello again!

 

I continue to search some solution but for the moment nothing. I tested everything.

One question...I need to confiure LDAD as primary and RADIUS as primary?

image.png.aba478b3bd3355ef6e97676c2fa06102.png

 

Duo prompt appears but after confirm I have this error:

 

image.thumb.png.a50eb42a20499c5be2d1bc74a274ccb0.png

 

If I configure Radius as secondary I have 2 password box....

Maybe not correct configuration of the Virtual server to check duo proxy?

I have this logs in NS:

 

send_accept: sending accept to kernel for : test.schmutz
RADIUS auth: In process_radius: Extracted groups = (null)
process_radius: extracted group string :(null)
process_radius: RADIUS auth: RADIUS authentication successful for user: test.schmutz from server 172.16.13.40
make_radius_request: RADIUS auth: Making radius request for user test.schmutz
make_radius_request: RADIUS auth: Making radius request for user test.schmutz
continue_radius_auth: RADIUS auth: Starting RADIUS authentication for user test.schmutz @ 172.16.13.40
process_kernel_socket: call to authenticate user :test.schmutz, vsid :11431, userlen 12
process_kernel_socket: ns_aaad_decrypt_auth not done

 

Appreciate any idea or help. Thanks a lot

 

 

EDIT: Maybe upgrade my ADC 12.1 to 13.1 can help?

Edited by Support SADIES
Link to comment
Share on other sites

On 1/19/2023 at 6:22 PM, Support SADIES said:

I add authentication in Authentication/Dashboard section and bind to vs

image.thumb.png.ef3c52693463acdcd68f06e60fa10e98.png

For your authentication profile i have:

 

image.thumb.png.b60af13c2323bde19a2743b0fe167b0e.png

 

I dont know how configure it...

 

I use this guide https://duo.com/docs/citrix-netscaler#configure-the-proxy-for-your-citrix-gateway and I obtain de login a prompt for duo like this:

image.thumb.png.63e817e630fb35bc0c9a7548735e6c2b.png

 

I can login but after a pop-up and this message appears:

image.thumb.png.ab4ed18361dc72963f49a48ea0e57766.png

 

is something about the Content-Security-Policy header.?

 

Thanks a lot a lot for your help

 

 

 

 

The message above shows that your are trying to launch SSL-VPN, I think you create an Unified Gateway site instead of Citrix Gateway using the Wizard, no?

 

Thanks

Link to comment
Share on other sites

1 hour ago, Arnaud Pain said:

 

The message above shows that your are trying to launch SSL-VPN, I think you create an Unified Gateway site instead of Citrix Gateway using the Wizard, no?

 

Thanks

Hello,

 

Not . It's a normal Citrix Gateway virtual server. I don'k know why try to launch java

 

Stuck with this issue

Link to comment
Share on other sites

28 minutes ago, Arnaud Pain said:

 

So in this case you need to check your session Profile configuration.

Yes finally that works!!!!

 

I delete all and reconfigure and java message not appears.

Rdweb works fine!!

 

Now I can view in my receiver that 2 password field appears and can't login (incorrect password)

image.thumb.png.ae075f97e7197a6ff37e170c2338b577.png

 

I need to modify and pesonalise some configuration?

 

Link to comment
Share on other sites

4 minutes ago, Support SADIES said:

Yes finally that works!!!!

 

I delete all and reconfigure and java message not appears.

Rdweb works fine!!

 

Now I can view in my receiver that 2 password field appears and can't login (incorrect password)

image.thumb.png.ae075f97e7197a6ff37e170c2338b577.png

 

I need to modify and pesonalise some configuration?

 

So here, you have 2 options:

1. Use nFactor to configure DUO and follow this article:https://duo.com/docs/citrix-netscaler-nfactor

2. Check the LDAP configuration, on LDAP-Receiver, you can uncheck authentication to hide Mode de passe 2, if I am correct.

 

Thanks for letting me know.

 

Arnaud

 

Link to comment
Share on other sites

On 1/24/2023 at 7:56 PM, Arnaud Pain said:

So here, you have 2 options:

1. Use nFactor to configure DUO and follow this article:https://duo.com/docs/citrix-netscaler-nfactor

2. Check the LDAP configuration, on LDAP-Receiver, you can uncheck authentication to hide Mode de passe 2, if I am correct.

 

Thanks for letting me know.

 

Arnaud

 

HI!

 

Option1 can't do it I dont have the good ns version 13

 

Option2: I have this conf:

 

image.thumb.png.b9be6f76606056b78f17789bc12bc996.png

 

I need to uncheck (in Citrix Receiver policy) the field "Authentication"?

image.png.c3814e8096531744dd090b1701343118.png

 

I tested default (check) and uncheck but password 2 not hide....

Link to comment
Share on other sites

5 minutes ago, Support SADIES said:

HI!

 

Option1 can't do it I dont have the good ns version 13

 

Option2: I have this conf:

 

image.thumb.png.b9be6f76606056b78f17789bc12bc996.png

 

I need to uncheck (in Citrix Receiver policy) the field "Authentication"?

image.png.c3814e8096531744dd090b1701343118.png

 

I tested default (check) and uncheck but password 2 not hide....

 

You don't need Firmware 13.0, 12.1-51.16 or later is enough.

I would recommend you to follow DUO article with nFactor.

 

Link to comment
Share on other sites

2 minutes ago, Arnaud Pain, CTP said:

 

You don't need Firmware 13.0, 12.1-51.16 or later is enough.

I would recommend you to follow DUO article with nFactor.

 

But I don't have AAA policies with standard licence

 

But it's ok with "authenticated" disabled in LDAP second password field not visible

Link to comment
Share on other sites

6 minutes ago, Support SADIES said:

But I don't have AAA policies with standard licence

 

But it's ok with "authenticated" disabled in LDAP second password field not visible

Perfect, but keep in mind that doing that may also impact it there will be no validation of user's password, so if you enter wrong password it may go through and you will receive Cannot complete your request after, to be checked on your own.

 

Thanks

Arnaud

Link to comment
Share on other sites

8 minutes ago, Arnaud Pain, CTP said:

Perfect, but keep in mind that doing that may also impact it there will be no validation of user's password, so if you enter wrong password it may go through and you will receive Cannot complete your request after, to be checked on your own.

 

Thanks

Arnaud

What...you're right....I try with wrong password and any validation I can login... There is not a solution do a 2FA if I can login without password.

 

I don't understand. To follow DUO article with nFactor I need AAA and I not have the licence....

 

image.png.d983205cc7c9478831c96a474e3878e1.png

 

Thanks Arnaud for your time. I appreciate

Link to comment
Share on other sites

39 minutes ago, Support SADIES said:

What...you're right....I try with wrong password and any validation I can login... There is not a solution do a 2FA if I can login without password.

 

I don't understand. To follow DUO article with nFactor I need AAA and I not have the licence....

 

image.png.d983205cc7c9478831c96a474e3878e1.png

 

Thanks Arnaud for your time. I appreciate

 

In this case I would recommend to update Firmware. Starting from release 13.0 build 67.x, nFactor authentication is supported with Standard license.

So Upgrade Firmware and then follow DUO documentation.

 

Thanks

Arnaud

 

Link to comment
Share on other sites

10 hours ago, Arnaud Pain said:

 

In this case I would recommend to update Firmware. Starting from release 13.0 build 67.x, nFactor authentication is supported with Standard license.

So Upgrade Firmware and then follow DUO documentation.

 

Thanks

Arnaud

 

 

Yes the possible solution is upgrade but I read this:

https://www.carlstalhood.com/system-configuration-citrix-adc-13/#upgrade

 

I don't have licence support and my file licence file has date 2020.0700... I don't sur can upgrade the firmware...

 

Thanks

 

Link to comment
Share on other sites

8 hours ago, Support SADIES said:

 

Yes the possible solution is upgrade but I read this:

https://www.carlstalhood.com/system-configuration-citrix-adc-13/#upgrade

 

I don't have licence support and my file licence file has date 2020.0700... I don't sur can upgrade the firmware...

 

Thanks

 

 

Can you try to redownload your license file which should present newer date and as so allow you to upgrade the Firmware.

 

Thanks

Arnaud

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...