Native OTP and MFA in Citrix NetScaler 12

Finally, NetScaler 12.0 build 51.24 was released July 20 – 2017 and introduces two great new features among other things:

Native OTP (OneTimePassword) via nFactor
Secure Web Gateway (Will be covered in a later post)

I am very excited to follow development on these two features.

This post is focusing on Native OTP, benefits and implementation steps.

Table of Contents

Intro

The new released Native OTP feature is based on nFactor authentication policies, which allows us to do conditional authentication for browser based clients. We can increase security and protect our line-of-business apps with Multi Factor Authentication (MFA), by e.g. enabling AD authentication in the first factor and OTP (via Google Authenticator or similar Authenticator app) in the second factor.

Benefits / Objectives

Benefits of implementing Native OTP in NetScaler:

Increase Security on external delivered business resources
Reduce capital and operational expenses
Eliminate need of complex infrastructure to support OTP
Central and consolidated configuration – better control

Requirements

Following list the requirements for implementing Native OTP in NetScaler 12:

NetScaler 12.0 Build 51.24 / Min. Enterprise license
Admin knowledge of nFactor authentication
NetScaler LDAP Admin needs write access to selected AD Attribute (userParameters)
NetScaler and client must sync time from same Time Server
NetScaler basic configuration (Management IP, certificates etc.) has been configured

OTP Registration Flow

From docs.citrix.com.

Following is an example of the flow of events in registering an OTP:

User acknowledges that he needs to register a new OTP.
NetScaler receives the request and generates a random secret and base32 encodes the secret.
NetScaler updates AD object with the OTP secret at an attribute specified by administrator.
Upon successful AD update, NetScaler generates a response to show QR code and secret to the user.
User uses an app (Google Authenticator or so) to read the secret and scans the QR code image or manually enters the secret to the app.
Once the secret is read, app on user’s mobile keeps generating OTP that expires in a preset time interval (30 seconds or so).

OTP Verification Flow

From docs.citrix.com.

Following is an example of the flow of events in verification of the OTP:

User enters the OTP number from his app of choice.
NetScaler retrieves the secret from AD user object.
If retrieval succeeds, NetScaler re-computes the OTP and checks against the presented code.
NetScaler tries previous and next 30 seconds epoch to compute OTP codes.
NetScaler displays success message if any of the generated codes match the incoming code.

Implementation

Step 1 – Manage OTP – Onboarding users

I choose only to allow “registration” of the Authenticator app and Barcode secret from Internal LAN only. So that is why I have split up and seperated this in 2 AAA vServers, One in internal LAN for Management of OTP and One AAA vServer in DMZ for the 2-factor nFactor authentication.

Create LDAP Authentication Policy and Profile for Management of OTP:

add authentication ldapAction auth-prof-otpmanagement-ldap -serverIP 1.10.1.21 -ldapBase “dc=domain,dc=local" -ldapBindDn nsldapuser@domain.local -ldapBindDnPassword PASSWD  -ldapLoginName userprincipalname -ssoNameAttribute userprincipalname -authentication DISABLED -Attribute1 mail -Attribute2 objectGUID -Attribute3 immutableID -OTPSecret userParameters

add authentication ldapPolicy auth-pol-otpmanage-ldap ns_true auth-prof-otpmanagement-ldap

add authentication ldapAction auth-prof-otpmanagement-ldap -serverIP 1.10.1.21 -ldapBase “dc=domain,dc=local" -ldapBindDn nsldapuser@domain.local -ldapBindDnPassword PASSWD -ldapLoginName userprincipalname -ssoNameAttribute userprincipalname -authentication DISABLED -Attribute1 mail -Attribute2 objectGUID -Attribute3 immutableID -OTPSecret userParameters

add authentication ldapPolicy auth-pol-otpmanage-ldap ns_true auth-prof-otpmanagement-ldap

Add nFactor Login Schema:

add authentication loginSchema native-otp-singleauth -authenticationSchema "/nsconfig/loginschema/LoginSchema/SingleAuth.xml"

1	add authentication loginSchema native-otp-singleauth -authenticationSchema "/nsconfig/loginschema/LoginSchema/SingleAuth.xml"

Add and configure Authentication vServer:

add authentication vserver int-aaa_vs_manageotp.domain.com SSL 10.1.2.3 443

1	add authentication vserver int-aaa_vs_manageotp.domain.com SSL 10.1.2.3 443

Create Policy Label:

add authentication policylabel auth-pol-label-native-otp-manage -loginSchema LSCHEMA_INT

bind authentication policylabel auth-pol-label-native-otp-manage -policyName auth-pol-otpmanage-ldap -priority 100 -gotoPriorityExpression NEXT

add authentication policylabel auth-pol-label-native-otp-manage -loginSchema LSCHEMA_INT

bind authentication policylabel auth-pol-label-native-otp-manage -policyName auth-pol-otpmanage-ldap -priority 100 -gotoPriorityExpression NEXT

Bind policies to Authentication Server:

bind authentication vserver int-aaa_vs_manageotp.domain.com -policy lschema_first_factor-native-otp-manage -priority 100 -gotoPriorityExpression END

bind authentication vserver int-aaa_vs_manageotp.domain.com -policy ldap-auth-native-otp -priority 100 -nextFactor auth-pol-label-native-otp-manage -gotoPriorityExpression NEXT

bind authentication vserver int-aaa_vs_manageotp.domain.com -policy lschema_first_factor-native-otp-manage -priority 100 -gotoPriorityExpression END

bind authentication vserver int-aaa_vs_manageotp.domain.com -policy ldap-auth-native-otp -priority 100 -nextFactor auth-pol-label-native-otp-manage -gotoPriorityExpression NEXT

In order to Onboard users, direct users to manageotp site from trusted internal LAN:
https://manageotp.domain.local/manageotp (Points to AAA vServer Internally)

img-alternative-text

Add your device:

img-alternative-text

Insert name for device (this will update and insert this name together with random numeric characters in the UserParameters attribute in ActiveDirectory for the user):

img-alternative-text

Now a secret barcode has been created, scan and enroll it with your favourite Authenticator App (My favourite is Authenticator Plus) :

img-alternative-text

Test the Authenticator OTP generated from your authenticator app:

img-alternative-text

Verify successful OTP test:

img-alternative-text

Note. I noticed that when one user had been registered for OTP, I could not log in with the same user to manage my OTP registration. I was met by the following at login:

img-alternative-text

You would have to clear the fields of userParameters attribute at the user object in Active Directory, basically revoking the device registration.

Step 2 – Configure Native OTP for MFA / Dual Auth

In this part we implement our AAA or NSG nFactor vServer in DMZ with dual authentication, reachable from outside (Internet).

Add AAA vServer for external dual auth:

add authentication vserver ext-aaa2f_vs-native-otp SSL 10.3.4.5 443

1	add authentication vserver ext-aaa2f_vs-native-otp SSL 10.3.4.5 443

Add Dual Auth Login Schema in nFactor:

add authentication loginSchema dual-auth-native-otp -authenticationSchema "/nsconfig/loginschema/LoginSchema/DualAuth.xml"

add authentication loginSchemaPolicy auth-scheme-dual-factor-native-otp -rule true -action dual-auth-native-otp

bind authentication vserver ext-aaa2f_vs-native-otp -policy auth-scheme-dual-factor-native-otp -priority 110 -gotoPriorityExpression END

bind authentication vserver ext-aaa2f_vs-native-otp -policy lschema_first_factor-native-otp-manage -priority 100 -gotoPriorityExpression END

bind authentication vserver ext-aaa2f_vs-native-otp -policy auth-scheme-dual-factor-native-otp -priority 110 -gotoPriorityExpression END

add authentication loginSchema dual-auth-native-otp -authenticationSchema "/nsconfig/loginschema/LoginSchema/DualAuth.xml"

add authentication loginSchemaPolicy auth-scheme-dual-factor-native-otp -rule true -action dual-auth-native-otp

bind authentication vserver ext-aaa2f_vs-native-otp -policy auth-scheme-dual-factor-native-otp -priority 110 -gotoPriorityExpression END

bind authentication vserver ext-aaa2f_vs-native-otp -policy lschema_first_factor-native-otp-manage -priority 100 -gotoPriorityExpression END

bind authentication vserver ext-aaa2f_vs-native-otp -policy auth-scheme-dual-factor-native-otp -priority 110 -gotoPriorityExpression END

Add and bind Authentication Policy label:

add authentication policylabel auth-pol-label-native-otp-mfa -loginSchema LSCHEMA_INT

bind authentication policylabel auth-pol-label-native-otp-mfa -policyName ldap-auth-native-otp-2f -priority 10 -gotoPriorityExpression NEXT

bind authentication vserver ext-aaa2f_vs-native-otp -policy auth-pol-ldap-vchur.local -priority 10 -nextFactor auth-pol-label-native-otp-mfa -gotoPriorityExpression NEXT

add authentication policylabel auth-pol-label-native-otp-mfa -loginSchema LSCHEMA_INT

bind authentication policylabel auth-pol-label-native-otp-mfa -policyName ldap-auth-native-otp-2f -priority 10 -gotoPriorityExpression NEXT

bind authentication vserver ext-aaa2f_vs-native-otp -policy auth-pol-ldap-vchur.local -priority 10 -nextFactor auth-pol-label-native-otp-mfa -gotoPriorityExpression NEXT

Two LoginSchemas has been added:

img-alternative-text

One Advanced Authentication server with Policy Label has now been added:

img-alternative-text

Policy Label:

img-alternative-text

Add Load Balanced Application with nFactor pre-auth enabled:

add lb vserver lb-vs-phpipam-ssl-ext SSL 0.0.0.0 0 -persistenceType NONE -cltTimeout 180 -AuthenticationHost login.domain.com -Authentication ON -authnVsName ext-aaa2f_vs-native-otp

1	add lb vserver lb-vs-phpipam-ssl-ext SSL 0.0.0.0 0 -persistenceType NONE -cltTimeout 180 -AuthenticationHost login.domain.com -Authentication ON -authnVsName ext-aaa2f_vs-native-otp

Now navigate to the public facing site, and test access and login process with login and Authenticator App OTP:

img-alternative-text

NetScaler Gateway and Native OTP with nFactor

NetScaler Gateway protected applications could also be used with nFactor integrated with Native OTP and MFA. In this scenarie an authentication profile is created and bound to the NetScaler Gateway in scope.

Add Authentication vServer:

add authentication vserver aaa-vs-ext-2f-otp-nf SSL 0.0.0.0

1	add authentication vserver aaa-vs-ext-2f-otp-nf SSL 0.0.0.0

Add Authentication Profile:

add authentication authnProfile auth-prof-2nf -authnVsName aaa-vs-ext-2f-otp-nf

1	add authentication authnProfile auth-prof-2nf -authnVsName aaa-vs-ext-2f-otp-nf

Bind Login Schemas:

bind authentication vserver aaa-vs-ext-2f-otp-nf -policy lschema_first_factor-native-otp-manage -priority 100 -gotoPriorityExpression END

bind authentication vserver aaa-vs-ext-2f-otp-nf -policy auth-scheme-dual-factor-native-otp -priority 110 -gotoPriorityExpression END

bind authentication vserver aaa-vs-ext-2f-otp-nf -policy lschema_first_factor-native-otp-manage -priority 100 -gotoPriorityExpression END

bind authentication vserver aaa-vs-ext-2f-otp-nf -policy auth-scheme-dual-factor-native-otp -priority 110 -gotoPriorityExpression END

Bind Advanced Authentication Policy:

bind authentication vserver aaa-vs-ext-2f-otp-nf -policy auth-pol-ldap-domain.local -priority 100 -nextFactor auth-pol-label-native-otp-mfa -gotoPriorityExpression NEXT

1	bind authentication vserver aaa-vs-ext-2f-otp-nf -policy auth-pol-ldap-domain.local -priority 100 -nextFactor auth-pol-label-native-otp-mfa -gotoPriorityExpression NEXT

Now bind the Authentication Profile at the NSG vServer to use native OTP and nFactor with NetScaler Gateway.

Native OTP documentation at citrix.com :

Citrix Docs – Native OTP

Intro

Benefits / Objectives

Requirements

OTP Registration Flow

OTP Verification Flow

Implementation

Step 1 – Manage OTP – Onboarding users

Step 2 – Configure Native OTP for MFA / Dual Auth

NetScaler Gateway and Native OTP with nFactor

Leave a Reply Cancel reply