Jump to content

POC Guide: Native OTP Registration and OTP Validation for NetScaler Gateway (using Single unified LoginSchema)

  • Contributed By: Anchala Bansal


NetScaler supports one-time passwords (OTPs) without using a third-party server. OTPs are a highly secure option for authenticating to secure servers as the number or passcode generated is random. Previously, specialized firms, such as RSA, with specific devices that generate random numbers, offered OTPs. In addition to reducing capital and operating expenses, this feature enhances the administrator’s control by keeping the entire configuration on the NetScaler appliance.

To use the OTP solution, a user must register with a NetScaler virtual server. Registration is required only once per unique device and can be restricted to certain environments. Configuring and validating a registered user is similar to configuring an extra authentication policy.

This POC guide will show how a single UI(Logon form) can be leveraged for both OTP Registration and OTP validation flows instead of asking users to go to different Endpoints for each.

Netscaler Configuration

VPN Vserver and AAA vserver Creation  

add vpn vserver test.aaadomain.net SSL 443
add authentication vserver aaavserver1 SSL

Creating and binding authnprofile to VPN vserver (for advanced or nfactor OTP Configuration)

add authnprofile authnprof -authnVsName aaavserver1
set vpn vserver test.aaadomain.net -authnprofile authnprof

Creating and Binding Single Unified Loginschema for OTP Registration and Validation

add authentication loginSchema otpregistrationorvalidation -authenticationSchema "/nsconfig/loginschema/LoginSchema/DualAuthOrOTPRegisterDynamic.xml"
add authentication loginSchemaPolicy otpregistrationorvalidation -rule true -action otpregistrationorvalidation
bind authentication vserver aaavserver1 -policy otpregistrationorvalidation -priority 1 -gotoPriorityExpression END

OTP Registration flow

add authentication ldapAction ldap -serverIP -serverPort 636 -ldapBase "dc=xyz,dc=com" -ldapBindDn test@xyz.com -ldapBindDnPassword test@123 -ldapLoginName samAccountName
add authentication Policy ldap-registration -rule "aaa.login.VALUE(\"otpregister\").eq(\"true\")" -action ldap
add authentication policylabel otp-registration -loginSchema LSCHEMA_INT
add authentication ldapAction ldap-otp -serverIP -serverPort 636 -ldapBase "dc=xyz,dc=com" -ldapBindDn test@xyz.xom -ldapBindDnPassword test@123 -ldapLoginName sAMAccountName -secType SSL -authentication DISABLED -OTPSecret userParameters
add authentication Policy ldap-otp -rule true -action ldap-otp
bind authentication policylabel otp-registration -policyName ldap-otp -priority 1 -gotoPriorityExpression NEXT
bind authentication vserver aaavserver1 -policy ldap-registration -priority 1 -nextFactor otp-registration -gotoPriorityExpression NEXT

OTP Validation flow

add authentication Policy ldap -rule true -action ldap
>>> Same ldap Action/Profile created for OTP Registration can be used for OTP Validation flow as well
add authentication policylabel otp-validation -loginSchema LSCHEMA_INT
bind authentication policylabel otp-validation -policyName ldap-otp -priority 1 -gotoPriorityExpression NEXT
>>> Same ldap-otp policy created for OTP Registration can be used for OTP Validation flow as well
bind authentication vserver aaavserver1 -policy ldap -priority 2 -nextFactor otp-validation -gotoPriorityExpression NEXT

CLI Snippet for the nfactor Configuration on AAA vserver(here aaavserver1)

> sh authentication vs aaavserver1        
aaavserver1 ( - SSL      
    IPSet: ???      
    Type: CONTENT        
    State: UP        
    Client Idle Timeout: 180 sec        
    Down state flush: DISABLED        
    Disable Primary Vserver On Down: DISABLED        
    HTTP profile name: nshttp_default_strict_validation        
    Network profile name: ???        
    Appflow logging: ENABLED        
    Authentication: ON        
    Device Certificate Check: ???        
    CGInfra Homepage Redirect: ???        
    Current AAA Sessions: 0        
    Current Users: 0        
    Dtls: ???      
    L2Conn: ???        
    RDP Server Profile Name: ???        
    Max Login Attempts: 0    
    Failed Login Timeout: 0        
    Fully qualified domain name: ???        
    PCoIP VServer Profile Name: ???        
    Listen Policy: NONE        
    Listen Priority: 0        
    IcmpResponse: ???        
    RHIstate:  ???        
    Traffic Domain: 0        
    Probe Protocol: ???        

1) LoginSchema Policy Name: otpregistrationorvalidation        
    Priority: 1        
    GotoPriority Expression: END        

1) Advanced Authentication Policy Name: ldap-registration   
    Priority: 1        
    GotoPriority Expression: NEXT        
    NextFactor name: otp-registration

2) Advanced Authentication Policy Name: ldap    
    Priority: 2        
    GotoPriority Expression: NEXT        
    NextFactor name: otp-validation

User Endpoint

Now we test the above configuration

OTP Registration flow with Citrix SSO app

1. Open a browser and navigate to the domain FQDN managed by the NetScaler Gateway. We use https://test.aaadomain.net

2. The following login screen will appear after your browser is redirected. If a user wants to register a new Device, click on the “Click to register” checkbox.



3. On the next screen, add Username, Password, and DeviceName to be Registered as follows


  1. On your mobile device, open your Citrix SSO app and  Scan the QR code


  1. Select Done, and you will see confirmation that the device was added successfully.You can also “Test” if the device is added successfully by clicking on the “Test” Button and entering the OTP from your Citrix SSO app.


OTP Validation flow

  1. Open a browser and navigate to the domain FQDN managed by the NetScaler Gateway. We use https://test.aaadomain.net
  1. After your browser is redirected to a login screen, enter your Username, Password, and Passcode(OTP from the Citrix SSO app for the Android1 device) if your device is already registered. On successful Authentication, you will be logged in to Citrix Gateway.





User Feedback

There are no comments to display.

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Create New...