Jump to content
Welcome to our new Citrix community!

How to get FullVPN access from macOS


Recommended Posts

We are testing a Citrix Gateway (running on Netscaler  13.1, VPX 1000 platinum edition) setup to allow full vpn access to certain on-prem resources via split-tunneling.  For testing purposes we are using LDAP only, with no second factor for authentication.

 

The config is pretty much identical to the one described here for split tunnel: https://docs.netscaler.com/en-us/citrix-gateway/current-release/vpn-user-config/configure-full-vpn-setup.html

 

Everything works fine on windows using the Citrix Gateway plugin.  If we connect from the browser, it authorized, suggests downloading the plugin, and then connects via the plugin and the resources are available.

 

For mac (Ventura, on an M1), it's a different story.  It suggested downloading the Gateway Plugin, which would fail immediately.  I've since learned the Gateway Plugin is not supported for Mac's after Big Sur and the recommend client to use is Citrix SSO https://support.citrix.com/article/CTX285295/citrix-gateway-plugin-doesnt-function-with-macos-big-sur-macos-11x.  Citrix SSO doesn't exist on the Mac these days, but I understand the replacement--and recommended client--is Citrix Secure Access. See https://docs.netscaler.com/en-us/citrix-gateway/citrix-gateway-clients/gateway-clients-feature-parity.html

 

I installed Citrix Secure Access, but it won't connect.  Here is what the relevant part of the logs say (full logs, with ip/hostname redacted are attached):

 

[May 10, 2023 at 12:54:44 PM EDT] <Debug>: NSGLegacyAuthParameters - init
[May 10, 2023 at 12:54:44 PM EDT] <Debug>: NSGAuthController - Core Auth processing
[May 10, 2023 at 12:54:44 PM EDT] <Debug>: NSGLegacyAuthService - Auth protocol is classic.
[May 10, 2023 at 12:54:44 PM EDT] <Debug>: Current auth state - Gateway Type discovered. Getting auth requirements.
[May 10, 2023 at 12:54:44 PM EDT] <Debug>: NSGLegacyAuthService - Sending index page request.
[May 10, 2023 at 12:54:44 PM EDT] <Debug>: Initializing URLSession:  User-Agent Optional("Macintosh/CitrixSSO-23.05.1 Intel Mac OS X 13_3_1 VpnCapable AuthV3Capable NAC/1.0 AGMacClient/717")
[May 10, 2023 at 12:54:44 PM EDT] <Debug>: Request URL: https://gateway.[domain.redacted]:443/vpn/index.html
[May 10, 2023 at 12:54:44 PM EDT] <Debug>: Following redirect... Blocking with NULL
[May 10, 2023 at 12:54:44 PM EDT] <Debug>: Remote address for connection (metrics): [ip.redacted]
[May 10, 2023 at 12:54:44 PM EDT] <Debug>: Response success. Parse response cookies.
[May 10, 2023 at 12:54:44 PM EDT] <Debug>: NSGLegacyAuthParameters - Parsing index page response.
[May 10, 2023 at 12:54:44 PM EDT] <Debug>: Received HTTP Status = 302
[May 10, 2023 at 12:54:44 PM EDT] <Debug>: Response code is 302. Inspecting parsed cookies.
[May 10, 2023 at 12:54:44 PM EDT] <Error>: No AAAC cookie. No NSC_CERT cookie. EPA also not configured. Failing auth.
[May 10, 2023 at 12:54:44 PM EDT] <Debug>: getAuthRequirements:sessionHandler: - Index page error 12.
[May 10, 2023 at 12:54:44 PM EDT] <Debug>: NSGAuthController - Processing delegate response for server https://gateway.[domain.redacted] - auth status 12
[May 10, 2023 at 12:54:44 PM EDT] <Error>: NSGAuthController - Auth failed status - 12. Possible misconfig on Gateway
[May 10, 2023 at 12:54:44 PM EDT] <Debug>: NSGAuthController - Composing analytics event for auth status - 12.
[May 10, 2023 at 12:54:44 PM EDT] <Debug>: Analytics send VPN Auth event.

 

This occurs as soon as I hit connect.  I never get prompted for a login.  If I login from the web, it goes through (and auth is successful as confirmed by aaad.debug), but it just sits on the page asking me to download the plugin.

 

Can anyone suggest any steps, either for resolution or further debugging?

 

EDIT: I thought maybe using nProxy would help since that appears to be the more "modern" authentication scheme.  I set that up (using only 1 factor for testing, namely LDAP).  That get's a little further in the sense that it pops up the logon screen and when I enter the username/password authentication happens on the server as confirmed by aaac.debug.  However, the tunnel still doesn't get setup.  A full log is attached, and the relevant part (I think) is here:

 

[May 10, 2023 at 7:55:53 PM EDT] <Debug>: Parsing vpn server info.
[May 10, 2023 at 7:55:53 PM EDT] <Debug>: Parsing vpn server info.
[May 10, 2023 at 7:55:53 PM EDT] <Debug>: VPN V-server address is https://gateway.[REDACTED.DOMAIN].
[May 10, 2023 at 7:55:53 PM EDT] <Debug>: VPN V-server port is 443.
[May 10, 2023 at 7:55:53 PM EDT] <Debug>: Block untrusted servers : 1.
[May 10, 2023 at 7:55:53 PM EDT] <Debug>: User name not available in the VPN profile.
[May 10, 2023 at 7:55:53 PM EDT] <Debug>: Password not available in the VPN profile.
[May 10, 2023 at 7:55:53 PM EDT] <Debug>: Client Cert is disabled.
[May 10, 2023 at 7:55:53 PM EDT] <Debug>: NSGCert - Setting client cert mode 0. [0 = Disabled, 1 = Automatic(iOS only), 2 = Client cert present]
[May 10, 2023 at 7:55:53 PM EDT] <Debug>: NSGAuthContext - parsing vendor config data {
    CanEdit = 1;
    ClientCertEnabled = 0;
    VendorDescription = "https://gateway.[REDACTED.DOMAIN]";
}.
[May 10, 2023 at 7:55:53 PM EDT] <Debug>: No Custom User agent in vendor config dictionary.
[May 10, 2023 at 7:55:53 PM EDT] <Debug>: NSGAuthController - received request to stop vpn connection for https://gateway.[REDACTED.DOMAIN] from App
[May 10, 2023 at 7:55:53 PM EDT] <Debug>: NSGAuthController - logout successful
[May 10, 2023 at 7:55:53 PM EDT] <Debug>: ConnectionMotherViewController - logout success. Tunnel torn down.

 

Any idea what is going on?

nsgControllerApp-redacted.log

nsgControllerApp-nFactor-redacted.log

Edited by Samuel Davidoff
Add additional logging information
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...