Native OTP and MFA in Citrix NetScaler 12

Finally, NetScaler 12.0 build 51.24 was released July 20 – 2017 and introduces two great new features among other things:

  • Native OTP (OneTimePassword) via nFactor
  • Secure Web Gateway (Will be covered in a later post)

I am very excited to follow development on these two features.

This post is focusing on Native OTP, benefits and implementation steps.

Intro

The new released Native OTP feature is based on nFactor authentication policies, which allows us to do conditional authentication for browser based clients. We can increase security and protect our line-of-business apps with Multi Factor Authentication (MFA), by e.g. enabling AD authentication in the first factor and OTP (via Google Authenticator or similar Authenticator app) in the second factor.

Benefits / Objectives

Benefits of implementing Native OTP in NetScaler:

  • Increase Security on external delivered business resources
  • Reduce capital and operational expenses
  • Eliminate need of complex infrastructure to support OTP
  • Central and consolidated configuration – better control

Requirements

Following list the requirements for implementing Native OTP in NetScaler 12:

  • NetScaler 12.0 Build 51.24 / Min. Enterprise license
  • Admin knowledge of nFactor authentication
  • NetScaler LDAP Admin needs write access to selected AD Attribute (userParameters)
  • NetScaler and client must sync time from same Time Server
  • NetScaler basic configuration (Management IP, certificates etc.) has been configured

OTP Registration Flow

From docs.citrix.com.

Following is an example of the flow of events in registering an OTP:

  1. User acknowledges that he needs to register a new OTP.
  2. NetScaler receives the request and generates a random secret and base32 encodes the secret.
  3. NetScaler updates AD object with the OTP secret at an attribute specified by administrator.
  4. Upon successful AD update, NetScaler generates a response to show QR code and secret to the user.
  5. User uses an app (Google Authenticator or so) to read the secret and scans the QR code image or manually enters the secret to the app.
  6. Once the secret is read, app on user’s mobile keeps generating OTP that expires in a preset time interval (30 seconds or so).

OTP Verification Flow

From docs.citrix.com.

Following is an example of the flow of events in verification of the OTP:

  1. User enters the OTP number from his app of choice.
  2. NetScaler retrieves the secret from AD user object.
  3. If retrieval succeeds, NetScaler re-computes the OTP and checks against the presented code.
  4. NetScaler tries previous and next 30 seconds epoch to compute OTP codes.
  5. NetScaler displays success message if any of the generated codes match the incoming code.

Implementation

Step 1 – Manage OTP – Onboarding users

I choose only to allow “registration” of the Authenticator app and Barcode secret from Internal LAN only. So that is why I have split up and seperated this in 2 AAA vServers, One in internal LAN for Management of OTP and One AAA vServer in DMZ for the 2-factor nFactor authentication.

Create LDAP Authentication Policy and Profile for Management of OTP:

Add nFactor Login Schema:

Add and configure Authentication vServer:

Create Policy Label:

Bind policies to Authentication Server:

In order to Onboard users, direct users to manageotp site from trusted internal LAN:
https://manageotp.domain.local/manageotp (Points to AAA vServer Internally)

Log in with UserPrincipalName:

img-alternative-text

Add your device:

img-alternative-text

Insert name for device (this will update and insert this name together with random numeric characters in the UserParameters attribute in ActiveDirectory for the user):

img-alternative-text

Now a secret barcode has been created, scan and enroll it with your favourite Authenticator App (My favourite is Authenticator Plus) :

img-alternative-text

Test the Authenticator OTP generated from your authenticator app:

img-alternative-text

Verify successful OTP test:

img-alternative-text

Note. I noticed that when one user had been registered for OTP, I could not log in with the same user to manage my OTP registration. I was met by the following at login:

img-alternative-text

You would have to clear the fields of userParameters attribute at the user object in Active Directory, basically revoking the device registration.

Step 2 – Configure Native OTP for MFA / Dual Auth

In this part we implement our AAA or NSG nFactor vServer in DMZ with dual authentication, reachable from outside (Internet).

Add AAA vServer for external dual auth:

Add Dual Auth Login Schema in nFactor:

Add and bind Authentication Policy label:

Two LoginSchemas has been added:

img-alternative-text

One Advanced Authentication server with Policy Label has now been added:

img-alternative-text

Policy Label:

img-alternative-text

Add Load Balanced Application with nFactor pre-auth enabled:

Now navigate to the public facing site, and test access and login process with login and Authenticator App OTP:

img-alternative-text

NetScaler Gateway and Native OTP with nFactor

NetScaler Gateway protected applications could also be used with nFactor integrated with Native OTP and MFA. In this scenarie an authentication profile is created and bound to the NetScaler Gateway in scope.

Add Authentication vServer:

Add Authentication Profile:

Bind Login Schemas:

Bind Advanced Authentication Policy:

Now bind the Authentication Profile at the NSG vServer to use native OTP and nFactor with NetScaler Gateway.

Native OTP documentation at citrix.com :

Citrix Docs – Native OTP

Leave a Reply