Citrix ADC

使用 Web 身份验证进行 SMS 双重身份

Citrix ADC 现在可以与第三方 SMS 提供商集成,以提供额外的身份验证层。

可以将 Citrix ADC 设备配置为在用户的移动设备上发送 OTP,作为第二个身份验证因素。设备向用户提供登录表格,以便在成功登录 AD 后进入 OTP。只有在成功进行第二因素身份验证之后,才会向用户提供请求的资源。

使用 Citrix ADC 配置 SMS 双重身份验证

在配置 SMS 双重身份验证功能之前,必须在 Citrix ADC 设备上配置 LDAP 身份验证,作为启用身份验证的第一要素。有关配置 LDAP 身份验证的说明,请参阅 使用配置实用程序配置 LDAP 身份验证

注意

手机号码可以使用 AAA.USER.ATTRIBLE (1) 提取,并可以在将其发送到后端服务器时包含在内。

分配 NS 变量

在命令提示符下,键入以下命令:

add ns variable <variable name> -type "map(text(65),text(6),100000)" -ifValueTooBig undef -ifNoValue undef -expires 5

add ns assignment<variable name> -variable "$test[AAA.USER.SESSIONID]" -set ("000000" + SYS.RANDOM.MUL(1000000).TYPECAST_UNSIGNED_LONG_AT.TYPECAST_TEXT_T).SUFFIX(6)
<!--NeedCopy-->

示例 NS 变量分配

add ns variable test -type "map(text(65),text(6),100000)" -ifValueTooBig undef -ifNoValue undef -expires 5

add ns assignment test -variable "$test[AAA.USER.SESSIONID]" -set ("000000" + SYS.RANDOM.MUL(1000000).TYPECAST_UNSIGNED_LONG_AT.TYPECAST_TEXT_T).SUFFIX(6)
<!--NeedCopy-->

配置 Webauth 操作

在命令提示符下,键入以下命令:

add policy expression <expression name> ""method=sendMessage&send_to=&msg=OTP i " + $test[AAA.USER.SESSIONID] + "for login into secure access  gateway. Valid till EXPIRE_TIME. Do not share the OTP with anyone for security reasons.&userid=#####&password=###=1.0""

add authentication webAuthAction webAuth_Get -serverIP <SERVER_IP> -serverPort <SERVER_PORT> -fullReqExpr q{"GET /GatewayAPI/rest?" + <expression name> + "HTTP/" + http.req.version.major + "." + http.req.version.minor.sub(1) + "\r\nAccept:\*/\*\r\nHost: <FQDN>\r\n"} -successRule "http.res.status.eq(200)" -scheme -successRule true

set authentication webAuthAction <web auth action name> <server IP address> -serverPort 8080 -fullReqExpr q{"POST /MyPHP/auth.php HTTP/" + http.req.version.major + "." + http.req.version.major + "\r\nAccept:\*/\*\r\nHost: <server IP address> \r\nContent-Length: 10\r\n\r\n" + <name in the format expected by SMS server>} -scheme http -successRule true
<!--NeedCopy-->

Webauth 操作配置示例

add policy expression otp_exp ""method=sendMessage&send_to=&msg=OTP i " + $test[AAA.USER.SESSIONID] + "for login into secure access  gateway. Valid till EXPIRE_TIME. Do not share the OTP with anyone for security reasons.&userid=#####&password=###=1.0""

add authentication webAuthAction webAuth_Get -serverIP -serverIP 10.106.168.210 -serverPort 8080 -fullReqExpr q{"GET /GatewayAPI/rest?" + otp_exp + "HTTP/" + http.req.version.major + "." + http.req.version.minor.sub(1) + "\r\nAccept:\*/\*\r\nHost: <FQDN>\r\n"} -successRule "http.res.status.eq(200)" -scheme -successRule true

set authentication webAuthAction webAuth_POST -serverIP 10.106.168.210 -serverPort 8080 -fullReqExpr q{"POST /MyPHP/auth.php HTTP/" + http.req.version.major + "." + http.req.version.major + "\r\nAccept:\*/\*\r\nHost: 10.106.168.210 \r\nContent-Length: 10\r\n\r\n" + otp_set} -scheme http -successRule true
<!--NeedCopy-->

示例第一因素配置

add authentication ldapAction ldap_action -serverIP 1.1.1.1 -serverPort 3268 -authTimeout 30 -ldapBase "dc=nsi-test,dc=com" -ldapBindDn Administrator@nsi-test.com -ldapBindDnPassword freebsd -ldapLoginName samaccountname -groupAttrName memberOf -ssoNameAttribute samaccountname  -Attribute1 mobile -email mail -CloudAttributes DISABLED

add authentication Policy ldap_policy -rule true -action ldap_action
<!--NeedCopy-->

示例第二因素配置

add authentication policylabel set_otp -loginSchema LSCHEMA_INT
add authentication Policy set_otp -rule true -action test

bind authentication policylabel set_otp -policyName set_otp -priority 1 -gotoPriorityExpression NEXT
bind authentication policylabel set_otp -policyName cascade_noauth -priority 2 -gotoPriorityExpression NEXT -nextFactor check_otp

add authentication Policy check_otp -rule "$test.valueExists(AAA.USER.SESSIONID)" -action NO_AUTHN
add authentication policylabel check_otp -loginSchema LSCHEMA_INT
bind authentication policylabel check_otp -policyName wpp -priority 1 -gotoPriorityExpression NEXT
bind authentication policylabel check_otp -policyName wpp_cascade_noauth -priority 2 -gotoPriorityExpression NEXT -nextFactor otp_verify

add authentication Policy wpp -rule true -action webAuth_POST
add authentication Policy wpp_cascade_noauth -rule true -action NO_AUTHN

add authentication Policy otp_verify -rule "AAA.LOGIN.PASSWORD.EQ($test[AAA.USER.SESSIONID])" -action NO_AUTHN
add authentication policylabel otp_verify -loginSchema onlyPassword
bind authentication policylabel otp_verify -policyName otp_verify -priority 1 -gotoPriorityExpression NEXT

add authentication vserver avs SSL 10.106.40.121 443
bind authentication vserver avs -policy ldap_policy  -priority 1 -nextFactor set_otp -gotoPriorityExpression NEXT
<!--NeedCopy-->
使用 Web 身份验证进行 SMS 双重身份