Finally, NetScaler 12.0 build 51.24 was released July 20 – 2017 and introduces two great new features among other things:
- Native OTP (OneTimePassword) via nFactor
- Secure Web Gateway (Will be covered in a later post)
I am very excited to follow development on these two features.
This post is focusing on Native OTP, benefits and implementation steps.
Table of Contents
Intro
The new released Native OTP feature is based on nFactor authentication policies, which allows us to do conditional authentication for browser based clients. We can increase security and protect our line-of-business apps with Multi Factor Authentication (MFA), by e.g. enabling AD authentication in the first factor and OTP (via Google Authenticator or similar Authenticator app) in the second factor.
Benefits / Objectives
Benefits of implementing Native OTP in NetScaler:
- Increase Security on external delivered business resources
- Reduce capital and operational expenses
- Eliminate need of complex infrastructure to support OTP
- Central and consolidated configuration – better control
Requirements
Following list the requirements for implementing Native OTP in NetScaler 12:
- NetScaler 12.0 Build 51.24 / Min. Enterprise license
- Admin knowledge of nFactor authentication
- NetScaler LDAP Admin needs write access to selected AD Attribute (userParameters)
- NetScaler and client must sync time from same Time Server
- NetScaler basic configuration (Management IP, certificates etc.) has been configured
OTP Registration Flow
From docs.citrix.com.
Following is an example of the flow of events in registering an OTP:
- User acknowledges that he needs to register a new OTP.
- NetScaler receives the request and generates a random secret and base32 encodes the secret.
- NetScaler updates AD object with the OTP secret at an attribute specified by administrator.
- Upon successful AD update, NetScaler generates a response to show QR code and secret to the user.
- User uses an app (Google Authenticator or so) to read the secret and scans the QR code image or manually enters the secret to the app.
- Once the secret is read, app on user’s mobile keeps generating OTP that expires in a preset time interval (30 seconds or so).
OTP Verification Flow
From docs.citrix.com.
Following is an example of the flow of events in verification of the OTP:
- User enters the OTP number from his app of choice.
- NetScaler retrieves the secret from AD user object.
- If retrieval succeeds, NetScaler re-computes the OTP and checks against the presented code.
- NetScaler tries previous and next 30 seconds epoch to compute OTP codes.
- NetScaler displays success message if any of the generated codes match the incoming code.
Implementation
Step 1 – Manage OTP – Onboarding users
I choose only to allow “registration” of the Authenticator app and Barcode secret from Internal LAN only. So that is why I have split up and seperated this in 2 AAA vServers, One in internal LAN for Management of OTP and One AAA vServer in DMZ for the 2-factor nFactor authentication.
Create LDAP Authentication Policy and Profile for Management of OTP:
1 2 3 |
add authentication ldapAction auth-prof-otpmanagement-ldap -serverIP 1.10.1.21 -ldapBase “dc=domain,dc=local" -ldapBindDn nsldapuser@domain.local -ldapBindDnPassword PASSWD -ldapLoginName userprincipalname -ssoNameAttribute userprincipalname -authentication DISABLED -Attribute1 mail -Attribute2 objectGUID -Attribute3 immutableID -OTPSecret userParameters add authentication ldapPolicy auth-pol-otpmanage-ldap ns_true auth-prof-otpmanagement-ldap |
Add nFactor Login Schema:
1 |
add authentication loginSchema native-otp-singleauth -authenticationSchema "/nsconfig/loginschema/LoginSchema/SingleAuth.xml" |
Add and configure Authentication vServer:
1 |
add authentication vserver int-aaa_vs_manageotp.domain.com SSL 10.1.2.3 443 |
Create Policy Label:
1 2 3 |
add authentication policylabel auth-pol-label-native-otp-manage -loginSchema LSCHEMA_INT bind authentication policylabel auth-pol-label-native-otp-manage -policyName auth-pol-otpmanage-ldap -priority 100 -gotoPriorityExpression NEXT |
Bind policies to Authentication Server:
1 2 3 |
bind authentication vserver int-aaa_vs_manageotp.domain.com -policy lschema_first_factor-native-otp-manage -priority 100 -gotoPriorityExpression END bind authentication vserver int-aaa_vs_manageotp.domain.com -policy ldap-auth-native-otp -priority 100 -nextFactor auth-pol-label-native-otp-manage -gotoPriorityExpression NEXT |
In order to Onboard users, direct users to manageotp site from trusted internal LAN:
https://manageotp.domain.local/manageotp (Points to AAA vServer Internally)
Log in with UserPrincipalName:
Add your device:
Insert name for device (this will update and insert this name together with random numeric characters in the UserParameters attribute in ActiveDirectory for the user):
Now a secret barcode has been created, scan and enroll it with your favourite Authenticator App (My favourite is Authenticator Plus) :
Test the Authenticator OTP generated from your authenticator app:
Verify successful OTP test:
Note. I noticed that when one user had been registered for OTP, I could not log in with the same user to manage my OTP registration. I was met by the following at login:
You would have to clear the fields of userParameters attribute at the user object in Active Directory, basically revoking the device registration.
Step 2 – Configure Native OTP for MFA / Dual Auth
In this part we implement our AAA or NSG nFactor vServer in DMZ with dual authentication, reachable from outside (Internet).
Add AAA vServer for external dual auth:
1 |
add authentication vserver ext-aaa2f_vs-native-otp SSL 10.3.4.5 443 |
Add Dual Auth Login Schema in nFactor:
1 2 3 4 5 6 7 8 9 |
add authentication loginSchema dual-auth-native-otp -authenticationSchema "/nsconfig/loginschema/LoginSchema/DualAuth.xml" add authentication loginSchemaPolicy auth-scheme-dual-factor-native-otp -rule true -action dual-auth-native-otp bind authentication vserver ext-aaa2f_vs-native-otp -policy auth-scheme-dual-factor-native-otp -priority 110 -gotoPriorityExpression END bind authentication vserver ext-aaa2f_vs-native-otp -policy lschema_first_factor-native-otp-manage -priority 100 -gotoPriorityExpression END bind authentication vserver ext-aaa2f_vs-native-otp -policy auth-scheme-dual-factor-native-otp -priority 110 -gotoPriorityExpression END |
Add and bind Authentication Policy label:
1 2 3 4 5 |
add authentication policylabel auth-pol-label-native-otp-mfa -loginSchema LSCHEMA_INT bind authentication policylabel auth-pol-label-native-otp-mfa -policyName ldap-auth-native-otp-2f -priority 10 -gotoPriorityExpression NEXT bind authentication vserver ext-aaa2f_vs-native-otp -policy auth-pol-ldap-vchur.local -priority 10 -nextFactor auth-pol-label-native-otp-mfa -gotoPriorityExpression NEXT |
Two LoginSchemas has been added:
One Advanced Authentication server with Policy Label has now been added:
Policy Label:
Add Load Balanced Application with nFactor pre-auth enabled:
1 |
add lb vserver lb-vs-phpipam-ssl-ext SSL 0.0.0.0 0 -persistenceType NONE -cltTimeout 180 -AuthenticationHost login.domain.com -Authentication ON -authnVsName ext-aaa2f_vs-native-otp |
Now navigate to the public facing site, and test access and login process with login and Authenticator App OTP:
NetScaler Gateway and Native OTP with nFactor
NetScaler Gateway protected applications could also be used with nFactor integrated with Native OTP and MFA. In this scenarie an authentication profile is created and bound to the NetScaler Gateway in scope.
Add Authentication vServer:
1 |
add authentication vserver aaa-vs-ext-2f-otp-nf SSL 0.0.0.0 |
Add Authentication Profile:
1 |
add authentication authnProfile auth-prof-2nf -authnVsName aaa-vs-ext-2f-otp-nf |
Bind Login Schemas:
1 2 3 |
bind authentication vserver aaa-vs-ext-2f-otp-nf -policy lschema_first_factor-native-otp-manage -priority 100 -gotoPriorityExpression END bind authentication vserver aaa-vs-ext-2f-otp-nf -policy auth-scheme-dual-factor-native-otp -priority 110 -gotoPriorityExpression END |
Bind Advanced Authentication Policy:
1 |
bind authentication vserver aaa-vs-ext-2f-otp-nf -policy auth-pol-ldap-domain.local -priority 100 -nextFactor auth-pol-label-native-otp-mfa -gotoPriorityExpression NEXT |
Now bind the Authentication Profile at the NSG vServer to use native OTP and nFactor with NetScaler Gateway.
Native OTP documentation at citrix.com :