Product Documentation

Native OTP Support

Sep 27, 2017

NetScaler Gateway supports one-time passwords (OTPs) without having to use a third-party server. In addition to reducing capital and operating expenses, this feature enhances the administrator's control by keeping the entire configuration on the NetScaler appliance.

Note that, since third-party servers are no longer needed, the gateway administrator has to configure an interface to manage and validate user devices.

To use the OTP feature, a user must be registered with a NetScaler Gateway virtual server. Registration is required only once per unique device, and typically is restricted to certain environments. Configuring validation of a registered user is similar to configuring an additional authentication policy.

Advantages of having Native OTP support:

  • Reduces operating cost by eliminating the need to have an additional infrastructure on an authenticating server in addition to the Active Directory
  • Consolidates configuration only to NetScaler thus offering great control to administrators
  • Eliminates client’s dependence on an additional authentication server for generating a number expected by clients

Understanding the Native OTP solution

Implementing NetScaler Native OTP solution is a two-fold process. It requires user to do the following before access to the desired resource is granted:

  • Register an OTP used for communication with NetScaler
  • Present the OTP to get the same validated by NetScaler

Following is an example of the flow of events in registering an OTP:

    1.  User acknowledges that he needs to register a new OTP.

    2.  NetScaler receives the request and generates a random secret and base32 encodes the secret.

    3.  NetScaler updates AD object with the OTP secret at an attribute specified by the administrator.

    4.  Upon successful AD update, NetScaler generates a response to show QR code and secret to the user.

    5.  User uses an app (Google Authenticator or so) to read the secret and scans the QR code image or manually enters the secret to the app.

    6.  Once the secret is read, app on user’s mobile keeps generating OTP that expires in a preset time interval (30 seconds or so).

Following is an example of the flow of events in verification of the OTP:

    1.  User enters the OTP number from his app of choice.

    2.  NetScaler retrieves the secret from AD user object.

    3.  If retrieval succeeds, NetScaler re-computes the OTP and checks against the presented code.

    4.  NetScaler tries previous and next 30 seconds epoch to compute OTP codes.

    5.  NetScaler displays success message if a generated code matches the incoming code.

Configuring the Native OTP solution using GUI
 
Prerequisites
  • NS Version 12.0 Feature Release 1 or later
  • NetScaler Gateway is configured with management IP and the management console is accessible both using a browser and command line
  • Appropriate license is installed on NetScaler Gateway
  • NetScaler has been configured with AAA vserver to authenticate users
  • NetScaler has been configured with Unified Gateway and the AAA authentication profile is assigned to  the Gateway virtual server
  • Native OTP solution is restricted to nFactor authentication flow. Advanced policies are required to configure the solution. For more details, refer https://support.citrix.com/article/CTX222713

Also ensure the following for Active Directory:

  • Attribute length must be at least 128 characters
  • Attribute type must be ‘DirectoryString’
  • Attribute string type must be Unicode, if device name is in non-English characters
  • NetScaler LDAP admin must have write access to the selected AD attribute
  • NetScaler and client machine must be synched to a common Network Time Server
 
Create Login Schema for First Factor
 
    1.  Navigate to Security / AAA > Application Traffic / Login Schema. Go to Profiles Tab and Click Add.
    2.  On the Create Authentication Login Schema page, enter lschema_first_factor under Name field and click the edit icon next to noschema.
    3.  Click the LoginSchema folder.
    4.  Scroll down to select SingleAuth.xml and click Select.        
    5.  Click Create.
    6.  Click the Policies Tab and Click Add.
    7.  On the Create Authentication Login Schema Policy  screen, enter the following values and click Create:

Name: lschema_first_factor

Profile: select lschema_first_factor from the drop down

Rule: HTTP.REQ.COOKIE.VALUE("NSC_TASS").EQ("manageotp")

Configure AAA vServer
 
    1.  Navigate to Security / AAA – Application Traffic / Authentication Virtual Servers. Click to edit the existing vServer.
    2.  Click the + icon next to Login Schemas under Advanced Settings in the right pane.
    3.  Select No Login Schema.
    4.  Click the arrow and select the lschema_first_factor Policy.
    5.  Select the lschema_first_factor policy and Click Select.
    6.  Click Bind.
    7.  Scroll up and select 1 Authentication Policy under Advanced Authentication Policy.
    8.  Right click the nFactor Policy and select Edit Binding.
    9.  Click the + icon present under  Select Next Factor, create a Next Factor, and click Bind.
    10.  On the Create Authentication PolicyLabel screen, enter the following and click Continue:

Name: OTP_manage_factor

Login Schema: Lschema_Int

    11.  On the Authentication PolicyLabel screen, click the + icon to create a Policy.
    12.  On the Create Authentication Policy screen, enter the following:

Name: otp_manage_ldap

Select the Action type using the Action Type drop-down

In the Action field, click the + icon to create a new Action

    13.  In the Create Authentication LDAP server page, select Server IP radio button, deselect the checkbox next to Authentication, enter the following values, and slect Test Connection.

Name: LDAP_no_auth

IP Address: 192.168.10.11

Base DN: DC=training, DC=lab

Administrator: Administrator@training.lab

Password: Citrix123

    14.  Scroll down to the Other Settings section. Use the drop-down menu to select Server Logon Name Attribute as << New >> and type userprincipalname. Use the drop-down menu to select SSO Name Attribute as << New >> and type userprincipalname
 
    15.  Enter "UserParameters" in the OTP Secret field and click More.
    16.  Enter the following Attributes.
Attribute 1 = mail
Attribute 2 = objectGUID
Attribute 3 = immutableID
    17.  Click OK.
    18.  On the Create Authentication Policy page, set the Expression to true and click Create.
    19.  On the Create Authentication Policylabel page, click Bind, and click Done.
    20.  On the Policy Binding page, Click Bind.
    21.  On the Authentication policy page, click Close and click Done.

Note

The authentication virtual server must be bound to RFWebUI portal theme. You must bind a server certificate to the server. The server IP ‘1.2.3.5’ must have a corresponding FQDN that is, otpauth.server.com, for later use.

Set Content Switching Policy for Manage OTP

    1.  Navigate to Traffic Management / Content Switching / Policies. Select the content switching policy, right click, and select Edit .

    2.  Edit the expression to evaluate the following OR statement and click OK:
is_vpn_url||HTTP.REQ.URL.CONTAINS(“manageotp”)

Test ManageOTP User Interface

    1.  Navigate to your Unified Gateway FQDN (first public facing IP), with a /manageotp
suffix.
Example: https://184-172-16-38.mycitrixtraining.net/manageotp
Login with user credentials.

    2.  Click the + icon to add a device.

    3.  Enter a device name and press Go. A barcode appears on screen.

    4.  Click Begin Setup and then click Scan Barcode.

    5.  Hover the device camera over the QR code. You can optionally enter the 16 digit code.

    6.  Upon successful scan, you are presented with a 6 digit time sensitive code that can be used to login.

    7.  To test, click Done on the QR screen, then click the green check mark on the right.

    8.  Select your device from the drop-down menu and enter the code from Google Authenticator
(must be blue, not red) and click Go.

    9.  Make sure to log out using the drop-down menu at the top right corner of the page.

Create Login Schema for Second Factor OTP                       

    1.  Navigate to Security / AAA- Application Traffic / Virtual Servers. Select the virtual server to be edited.

    2.  Scroll down and select 1 Login Schema.

    3.  Click Add Binding.

    4.  Under Policy Binding section, click the + icon to add a policy.

    5.  On the Create Authentication Login Schema Policy page, enter Name as OTP, and click the + icon to create a profile.

    6.  On the Create Authentication Login Schema page, enter Name as OTP and click the icon next to noschema.

    7.  Click the LoginSchema folder, select DualAuth.xml, and then click Select.

    8.  Click Create.

    9.  In the Rule section, enter True. Click Create.

    10.  Click Bind.

    11.  Notice the two factors of authentication. Click Close and click Done.

Test Two-Factor Authentication with OTP   

    1.  Navigate to your first public facing URL and enter your OTP from google authenticator to log on. This time navigate just to the FQDN, with no suffix. Notice a different logon page.

    2.  Authenticate to the Unified Gateway splash page.

Configuring the Native OTP solution using Command Line 

How to Configure OTP Device Registration and Management page

You must have the following information to configure the OTP device management page:

  • IP assigned to authentication vserver
  • FQDN corresponding to the assigned IP
  • Server certificate for authentication vserver

Note

Native OTP solution is web-based only. 

To configure the OTP Device Registration and Management page:

    1.  Create Authentication VServer

add authentication vserver authvs SSL 1.2.3.5 443

bind authentication vserver authvs –portaltheme RFWebUI

bind ssl vserver authvs –certkeyname otpauthcert

Note

The authentication virtual server must be bound to RFWebUI portal theme. You must bind a server certificate to the server. The server IP ‘1.2.3.5’ must have a corresponding FQDN that is, otpauth.server.com, for later use.

    2.  Create LDAP Logon Action

add authentication ldapAction <LDAP ACTION NAME> -serverIP <SERVER IP> -serverPort <SERVER PORT> -ldapBase <BASE> -ldapBindDn <AD USER> -ldapBindDnPassword <PASSWORD> -ldapLoginName <USER FORMAT>

    3.  Add Authentication Policy for LDAP Logon

add authentication Policy auth_pol_ldap_logon -rule true -action ldap_logon_action

    4.  Present UI via LoginSchema - show username field and password field to users upon logon

add authentication loginSchema lschema_single_auth_manage_otp -authenticationSchema "/nsconfig/loginschema/LoginSchema/SingleAuthManageOTP.xml"

Following are the two ways of showing the Device Registration and Management page:

By URL

When the URL contains ‘/manageotp’

add authentication loginSchemaPolicy lpol_single_auth_manage_otp_by_url -rule "http.req.cookie.value(\"NSC_TASS\").eq(\"manageotp\")" -action lschema_single_auth_manage_otp

bind authentication vserver authvs -policy lpol_single_auth_manage_otp_by_url -priority 10 -gotoPriorityExpression END

By Host

When the hostname is ‘alt.server.com’

add authentication loginSchemaPolicy lpol_single_auth_manage_otp_by_host -rule "http.req.header(\"host\").eq(\"alt.server.com\")" -action lschema_single_auth_manage_otp

bind authentication vserver authvs -policy lpol_single_auth_manage_otp_by_host -priority 20 -gotoPriorityExpression END

Accessing the Device Registration and Management Page using UI

After configuring the steps mentioned above, to access the Device Registration and Management page:

    1.  In the web-browser, type URL,  https://otpauth.server.com/manageotp (alternatively, you can use https://alt.server.com, if you have configured host-based management page) and enter the valid credentials.

    2.  Click "+", enter a device name, click “Go”, and click “Done”.

    3.  A QR code is generated, indicating that the device has been registered.

    4.  Optionally enter a passcode to test the newly registered device.

How to Configure the User Logon page

You must have the following information to configure the User Logon page:

  • IP for a Load-Balanced vserver
  • Corresponding FQDN for the Load-Balanced vserver
  • Server certificate for the Load-Balanced vserver
 

Note

You will be re-using the existing authentication vserver (authvs) for the two-factor authentication.

    1.  Create Load-Balanced VServer

add lb vserver lbvs_https SSL 1.2.3.162 443 -persistenceType NONE -cltTimeout 180 -AuthenticationHost otpauth.server.com -Authentication ON -authnVsName authvs

bind ssl vserver lbvs_https –certkeyname lbvs_server_cert

Back-end service in LB is represented as follows:

add service iis_backendsso_server_com 1.2.3.210 HTTP 80

bind lb vserver lbvs_https iis_backendsso_server_com

    2.  Create OTP Passcode Validation Action

add authentication ldapAction <LDAP ACTION NAME> -serverIP <SERVER IP> -serverPort <SERVER PORT> -ldapBase <BASE> -ldapBindDn <AD USER> -ldapBindDnPassword <PASSWORD> -ldapLoginName <USER FORMAT> -authentication DISABLED –OTPSecret <LDAP ATTRIBUTE>

    3.  Add Authentication Policy for OTP Passcode Validation

add authentication Policy auth_pol_otp_validation -rule true -action ldap_otp_action

    4.  Present the two-factor authentication via LoginSchema

add authentication loginSchema lscheme_dual_factor -authenticationSchema "/nsconfig/loginschema/LoginSchema/DualAuth.xml"

add authentication loginSchemaPolicy lpol_dual_factor -rule true -action lscheme_dual_factor

    5.  Create Passcode Validation Factor via Policy Label

Create a manage OTP flow policy label for next factor (first factor is LDAP logon)

add authentication loginSchema lschema_noschema -authenticationSchema noschema

add authentication policylabel manage_otp_flow_label -loginSchema lschema_noschema

Bind the OTP policy to the policy label:

bind authentication policylabel manage_otp_flow_label -policyName auth_pol_otp_validation -priority 10 -gotoPriorityExpression NEXT

    6.  Bind the UI flow: LDAP logon followed by OTP validation

bind authentication vserver authvs -policy auth_pol_ldap_logon -priority 10 -nextFactor manage_otp_flow_label -gotoPriorityExpression NEXT

Bind all the UI entities

bind authentication vserver authvs -policy lpol_dual_factor -priority 30 -gotoPriorityExpression END

Accessing the User Logon Page using UI

After configuring the steps mentioned above, to access the User Logon page, enter the lb vserver URL e.g., https://lb.server.com. The user logon screen appears.