Anchala Bansal

PoC Guide: Native OTP Registration and OTP Validation for NetScaler Gateway (using Single unified LoginSchema) Introduction NetScaler supports one-time passwords (OTPs) without having to use a third-party server. One-time password is a highly secure option for authenticating to secure servers as the number or passcode generated is random. Previously, specialized firms, such as RSA with specific devices that generate random numbers offered the OTPs. In addition to reducing capital and operating expenses, this feature enhances the administrator’s control by keeping the entire configuration on the NetScaler appliance. User must be registered with a NetScaler virtual server to use the OTP solution. Registration is required only once per unique device, and can be restricted to certain environments. Configuring and validation of a registered user is similar to configuring an extra authentication policy. In this POC guide, we are going to show how single UI(Logon form) can be leveraged for both OTP Registration and OTP validation flows instead of asking users to go to different Endpoints for OTP Registration and Validation flows. Netscaler Configuration VPN Vserver and AAA vserver Creation add vpn vserver test.aaadomain.net SSL 10.106.1.1 443add authentication vserver aaavserver1 SSL 0.0.0.0 Creating and binding authnprofile to VPN vserver (for advanced or nfactor OTP Configuration) add authnprofile authnprof -authnVsName aaavserver1set vpn vserver test.aaadomain.net -authnprofile authnprof Creating and Binding Single Unified Loginschema for OTP Registration and Validation add authentication loginSchema otpregistrationorvalidation -authenticationSchema "/nsconfig/loginschema/LoginSchema/DualAuthOrOTPRegisterDynamic.xml"add authentication loginSchemaPolicy otpregistrationorvalidation -rule true -action otpregistrationorvalidationbind authentication vserver aaavserver1 -policy otpregistrationorvalidation -priority 1 -gotoPriorityExpression END OTP Registration flow add authentication ldapAction ldap -serverIP 10.106.7.50 -serverPort 636 -ldapBase "dc=xyz,dc=com" -ldapBindDn test@xyz.com -ldapBindDnPassword test@123 -ldapLoginName samAccountNameadd authentication Policy ldap-registration -rule "aaa.login.VALUE(\"otpregister\").eq(\"true\")" -action ldapadd authentication policylabel otp-registration -loginSchema LSCHEMA_INTadd authentication ldapAction ldap-otp -serverIP 10.106.7.50 -serverPort 636 -ldapBase "dc=xyz,dc=com" -ldapBindDn test@xyz.xom -ldapBindDnPassword test@123 -ldapLoginName sAMAccountName -secType SSL -authentication DISABLED -OTPSecret userParametersadd authentication Policy ldap-otp -rule true -action ldap-otpbind authentication policylabel otp-registration -policyName ldap-otp -priority 1 -gotoPriorityExpression NEXTbind authentication vserver aaavserver1 -policy ldap-registration -priority 1 -nextFactor otp-registration -gotoPriorityExpression NEXT OTP Validation flow add authentication Policy ldap -rule true -action ldap >>>Same ldap Action/Profile created for OTP Registration can be used for OTP Validation flow as welladd authentication policylabel otp-validation -loginSchema LSCHEMA_INTbind authentication policylabel otp-validation -policyName ldap-otp -priority 1 -gotoPriorityExpression NEXT . >>>Same ldap-otp policy created for OTP Registration can be used for OTP Validation flow as wellbind authentication vserver aaavserver1 -policy ldap -priority 2 -nextFactor otp-validation -gotoPriorityExpression NEXT CLI Snippet for the nfactor Configuration on AAA vserver(here aaavserver1) > sh authentication vs aaavserver1 aaavserver1 (10.106.1.1:443) - SSL IPSet: ??? Type: CONTENT State: UP Client Idle Timeout: 180 sec Down state flush: DISABLED Disable Primary Vserver On Down : DISABLED HTTP profile name: nshttp_default_strict_validation Network profile name: ??? Appflow logging: ENABLED Authentication : ON Device Certificate Check: ??? CGInfra Homepage Redirect : ??? Current AAA Sessions: 0 Current Users: 0 Dtls : ??? L2Conn: ??? RDP Server Profile Name: ??? Max Login Attempts: 0 Failed Login Timeout 0 Fully qualified domain name: ??? PCoIP VServer Profile Name: ??? Listen Policy: NONE Listen Priority: 0 IcmpResponse: ??? RHIstate: ??? Traffic Domain: 0 Probe Protocol: ???1) LoginSchema Policy Name: otpregistrationorvalidation Priority: 1 GotoPriority Expression: END1) Advanced Authentication Policy Name: ldap-registration Priority: 1 GotoPriority Expression: NEXT NextFactor name: otp-registration2) Advanced Authentication Policy Name: ldap Priority: 2 GotoPriority Expression: NEXT NextFactor name: otp-validation User Endpoint Now we test the above configuration OTP Registration flow with Citrix SSO app 1. Open a browser, and navigate to the domain FQDN managed by the NetScaler Gateway. We use https://test.aaadomain.net 2. After your browser is redirected the following login screen will appear. If a user wants to register a new Device; click on “Click to register” checkbox. 3. On the next screen add Username, Password and DeviceName to be Registered as follows On your mobile device open your Citrix SSO app and Scan the QR code Select Done and you see confirmation that the device was added successfully.You can as well “Test” if the device is added successfully by clicking on the “Test” Button and entering the OTP from your Citrix SSO app. OTP Validation flow Open a browser, and navigate to the domain FQDN managed by the NetScaler Gateway. We use https://test.aaadomain.net After your browser is redirected to a login screen enter Username, Password and Passcode(OTP from the Citrix SSO app for the android1 device) if your device is already registered. On successful Authentication; you would be logged in to Citrix Gateway.