Introduction
NetScaler supports one-time passwords (OTPs) without using a third-party server. OTPs are a highly secure option for authenticating to secure servers as the number or passcode generated is random. Previously, specialized firms, such as RSA, with specific devices that generate random numbers, offered OTPs. In addition to reducing capital and operating expenses, this feature enhances the administrator’s control by keeping the entire configuration on the NetScaler appliance.
To use the OTP solution, a user must register with a NetScaler virtual server. Registration is required only once per unique device and can be restricted to certain environments. Configuring and validating a registered user is similar to configuring an extra authentication policy.
This POC guide will show how a single UI(Logon form) can be leveraged for both OTP Registration and OTP validation flows instead of asking users to go to different Endpoints for each.
Netscaler Configuration
VPN Vserver and AAA vserver Creation
add vpn vserver test.aaadomain.net SSL 10.106.1.1 443 add authentication vserver aaavserver1 SSL 0.0.0.0
Creating and binding authnprofile to VPN vserver (for advanced or nfactor OTP Configuration)
add authnprofile authnprof -authnVsName aaavserver1 set vpn vserver test.aaadomain.net -authnprofile authnprof
Creating and Binding Single Unified Loginschema for OTP Registration and Validation
add authentication loginSchema otpregistrationorvalidation -authenticationSchema "/nsconfig/loginschema/LoginSchema/DualAuthOrOTPRegisterDynamic.xml" add authentication loginSchemaPolicy otpregistrationorvalidation -rule true -action otpregistrationorvalidation bind authentication vserver aaavserver1 -policy otpregistrationorvalidation -priority 1 -gotoPriorityExpression END
OTP Registration flow
add authentication ldapAction ldap -serverIP 10.106.7.50 -serverPort 636 -ldapBase "dc=xyz,dc=com" -ldapBindDn test@xyz.com -ldapBindDnPassword test@123 -ldapLoginName samAccountName add authentication Policy ldap-registration -rule "aaa.login.VALUE(\"otpregister\").eq(\"true\")" -action ldap add authentication policylabel otp-registration -loginSchema LSCHEMA_INT add authentication ldapAction ldap-otp -serverIP 10.106.7.50 -serverPort 636 -ldapBase "dc=xyz,dc=com" -ldapBindDn test@xyz.xom -ldapBindDnPassword test@123 -ldapLoginName sAMAccountName -secType SSL -authentication DISABLED -OTPSecret userParameters add authentication Policy ldap-otp -rule true -action ldap-otp bind authentication policylabel otp-registration -policyName ldap-otp -priority 1 -gotoPriorityExpression NEXT bind authentication vserver aaavserver1 -policy ldap-registration -priority 1 -nextFactor otp-registration -gotoPriorityExpression NEXT
OTP Validation flow
add authentication Policy ldap -rule true -action ldap >>> Same ldap Action/Profile created for OTP Registration can be used for OTP Validation flow as well add authentication policylabel otp-validation -loginSchema LSCHEMA_INT bind authentication policylabel otp-validation -policyName ldap-otp -priority 1 -gotoPriorityExpression NEXT >>> Same ldap-otp policy created for OTP Registration can be used for OTP Validation flow as well bind authentication vserver aaavserver1 -policy ldap -priority 2 -nextFactor otp-validation -gotoPriorityExpression NEXT
CLI Snippet for the nfactor Configuration on AAA vserver(here aaavserver1)
> sh authentication vs aaavserver1
aaavserver1 (10.106.1.1:443) - SSL
IPSet: ???
Type: CONTENT
State: UP
Client Idle Timeout: 180 sec
Down state flush: DISABLED
Disable Primary Vserver On Down: DISABLED
HTTP profile name: nshttp_default_strict_validation
Network profile name: ???
Appflow logging: ENABLED
Authentication: ON
Device Certificate Check: ???
CGInfra Homepage Redirect: ???
Current AAA Sessions: 0
Current Users: 0
Dtls: ???
L2Conn: ???
RDP Server Profile Name: ???
Max Login Attempts: 0
Failed Login Timeout: 0
Fully qualified domain name: ???
PCoIP VServer Profile Name: ???
Listen Policy: NONE
Listen Priority: 0
IcmpResponse: ???
RHIstate: ???
Traffic Domain: 0
Probe Protocol: ???
1) LoginSchema Policy Name: otpregistrationorvalidation
Priority: 1
GotoPriority Expression: END
1) Advanced Authentication Policy Name: ldap-registration
Priority: 1
GotoPriority Expression: NEXT
NextFactor name: otp-registration
2) Advanced Authentication Policy Name: ldap
Priority: 2
GotoPriority Expression: NEXT
NextFactor name: otp-validation
User Endpoint
Now we test the above configuration
OTP Registration flow with Citrix SSO app
1. Open a browser and navigate to the domain FQDN managed by the NetScaler Gateway. We use https://test.aaadomain.net
2. The following login screen will appear after your browser is redirected. If a user wants to register a new Device, click on the “Click to register” checkbox.
3. On the next screen, add Username, Password, and DeviceName to be Registered as follows
- On your mobile device, open your Citrix SSO app and Scan the QR code
- Select Done, and you will see confirmation that the device was added successfully.You can also “Test” if the device is added successfully by clicking on the “Test” Button and entering the OTP from your Citrix SSO app.
OTP Validation flow
- Open a browser and navigate to the domain FQDN managed by the NetScaler Gateway. We use https://test.aaadomain.net
- After your browser is redirected to a login screen, enter your Username, Password, and Passcode(OTP from the Citrix SSO app for the Android1 device) if your device is already registered. On successful Authentication, you will be logged in to Citrix Gateway.
There are no comments to display.
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now