Citrix ADC

SMS OTP authentication using Web authentication

Citrix ADC can now be integrated with a third party SMS provider to provide an extra layer of authentication.

Citrix ADC appliance can be configured to send an OTP on the user’s mobile as a second factor of authentication. The appliance presents the user with a logon form to enter the OTP after successful AD login. It is only after the successful validation of SMS OTP authentication that the user is presented with the requested resource.

To achieve SMS OTP authentication, the Citrix ADC appliance relies on the following factors in the back end.

  1. Authenticate the user using LDAP authentication and extract the user’s mobile number.
  2. Create OTP and store it in the NS variable. Configuring and using variables.
  3. Send the OTP via WebAuth authentication method to the mobile number extracted from LDAP.
  4. Validate the OTP.

Prerequisites

Configure OTP store

Admins set up a database/store to save OTPs used for SMS authentication by using the following CLI command.

add ns variable otp_store -type "map(text(65),text(6),100000)" -ifValueTooBig undef -ifNoValue undef -expires 5
<!--NeedCopy-->

Generate random OTP per user session

Use the following command to generate a 6-digit random OTP per user session and save it in the OTP store.

add ns assignment generate_otp -variable "$otp_store[AAA.USER.SESSIONID]" -set ("000000" + SYS.RANDOM.MUL(1000000).TYPECAST_UNSIGNED_LONG_AT.TYPECAST_TEXT_T).SUFFIX(6)
<!--NeedCopy-->

Configure SMS OTP authentication with Citrix ADC

  • Before you configure the SMS two factor authentication feature, you must have an LDAP authentication configured on a Citrix ADC appliance as first factor with authentication enabled. For instructions to configure LDAP authentication, see To configure LDAP authentication by using the configuration utility.

  • Configure LDAP and extract the mobile number to be used for SMS OTP authentication.

Sample first factor configuration

add authentication ldapAction ldap_action -serverIP 1.1.1.1 -serverPort 3268 -authTimeout 30 -ldapBase "dc=nsi-test,dc=com" -ldapBindDn Administrator@nsi-test.com -ldapBindDnPassword freebsd -ldapLoginName samaccountname -groupAttrName memberOf -ssoNameAttribute samaccountname  -Attribute1 mobile -email mail

add authentication Policy ldap_policy -rule true -action ldap_action
<!--NeedCopy-->

Note

Mobile number can be extracted using AAA.USER.ATTRIBUTE(1) and can be included while sending it to the back-end server.

Sample second factor configuration

Using the following sample configuration, an OTP that is to be sent to the end user is generated.

add authentication Policy set_otp -rule true -action generate_otp

add authentication policylabel set_otp -loginSchema LSCHEMA_INT

add authentication policy cascade_noauth -rule true -action NO_AUTHN

bind authentication policylabel set_otp -policyName set_otp -priority 1 -gotoPriorityExpression NEXT
<!--NeedCopy-->

Sample third factor configuration

Using the following sample configuration, the OTP generated in the second factor configuration is sent to the end user using the Web authentication method. For details on Web authentication, see Web authentication.

  • Sample web authentication configuration when SMS server exposes API via GET method.

     add policy expression otp_exp_get "\"method=sendMessage&send_to=\" + AAA.USER.ATTRIBUTE(1) + \"&msg=OTP is \" + $otp_store[AAA.USER.SESSIONID] + \"for login into secure access  gateway. Valid till EXPIRE_TIME. Do not share the OTP with anyone for security reasons.&userid=#####&password=###=1.0\""
    
     add authentication webAuthAction webAuth_Get -serverIP 10.106.168.210 -serverPort 8080 -fullReqExpr q{"GET /GatewayAPI/rest\?" + otp_exp_get + "HTTP/" + http.req.version.major + "." + http.req.version.minor.sub(1) + "\r\nAccept:*/*\r\nHost: <FQDN>\r\n"} -successRule "http.res.status.eq(200)" -scheme http
     <!--NeedCopy-->
    
  • Sample web authentication configuration when SMS server exposes API via GET method.

     add policy expression otp_exp_post "\"Message: OTP is \" + $otp_store[AAA.USER.SESSIONID] + \"for login into secure access  gateway. Valid till EXPIRE_TIME. Do not share the OTP with anyone for security reasons&Mobile:\" + AAA.USER.ATTRIBUTE(1)"
    
     add authentication webAuthAction webAuth_POST -serverIP 10.106.168.210 -serverPort 8080 -fullReqExpr q{"POST /MyPHP/auth.php HTTP/" + http.req.version.major + "." + http.req.version.major + "\r\nAccept:*/*\r\nHost: 10.106.168.210 \r\nContent-Length: 10\r\n\r\n" + otp_exp_post} -scheme http -successRule true
     <!--NeedCopy-->
    
     add authentication webAuthAction webAuth_Get -serverIP 10.106.168.210 -serverPort 8080 -fullReqExpr q{"GET /GatewayAPI/rest\?" + otp_exp_get + "HTTP/" + http.req.version.major + "." + http.req.version.minor.sub(1) + "\r\nAccept:/\r\nHost: <FQDN>\r\n"} -successRule "http.res.status.eq(200)" -scheme http
    
     add policy expression otp_exp_post "$otp_store[AAA.USER.SESSIONID]"
     <!--NeedCopy-->
    
  • Finally, send the OTP.

     add authentication Policy wpp -rule true -action webAuth_POST
    
     add authentication policylabel send_otp -loginSchema LSCHEMA_INT
     bind authentication policylabel send_otp -policyName wpp -priority 1 -gotoPriorityExpression NEXT
     <!--NeedCopy-->
    

Sample fourth factor configuration

Using the following sample configuration, validate the OTP sent to the end user.

In this configuration, a policy rule is used to validate the OTP against the one that is sent to the end user.

add authentication Policy otp_verify -rule "AAA.LOGIN.PASSWORD.EQ($otp_store[AAA.USER.SESSIONID])" -action NO_AUTHN

add authentication policylabel otp_verify -loginSchema onlyPassword

bind authentication policylabel otp_verify -policyName otp_verify -priority 1 -gotoPriorityExpression NEXT

<!--NeedCopy-->

Use the following command to add the OnlyPassword login schema:

add authentication loginSchema onlypassword -authenticationschema /nsconfig/loginschema/LoginSchema/OnlyPassword.xml"
<!--NeedCopy-->

Use the following CLI commands to link all the factors together.

bind authentication policylabel send_otp -policyName wpp -priority 1 -gotoPriorityExpression NEXT -nextFactor otp_verify
<!--NeedCopy-->

Note:

The policy for cascading authentication is added to enable reliable and continuous authentication for the end users. If the current factor fails, the next factor is evaluated such that there is no impact on the user experience.

SMS OTP authentication using Web authentication