Configure “Authentication Verification Order” Different to the Order Prompted on Logon Page Using NetScaler nFactor

nFactor Flow Presentation through Visualizer

Configuration through the CLI

Complete the following to configure “authentication verification order” different to the order prompted on logon page Using NetScaler nFactor:

1. Configure a AAA (Authentication) virtual server lets say AAA_SERVER. An AAA virtual server is required for the n-factor authentication to work

2. Create a login Schema for Managing devices for OTP and bind it to the AAA Vserver

add authentication loginSchema manage_otp_schema -authenticationSchema “/nsconfig/loginschema/LoginSchema/SingleAuthManageOTP.xml”

add authentication loginSchemaPolicy lschema_manage_otp_pol -rule “HTTP.REQ.COOKIE.VALUE(“NSC_TASS”).EQ(“manageotp”)” -action manage_otp_schema

bind authentication vserver aaa_vserver -policy lschema_manage_otp_pol -priority 100 -gotoPriorityExpression END

3. Create a Login Schema for dual authentication. The following is a sample Login Schema for your reference:

add authentication loginSchema dual_auth_schema -authenticationSchema “/nsconfig/loginschema/LoginSchema/DualAuth.xml” -passwdExpression “HTTP.REQ.BODY(1000).SET_TEXT_MODE(URLENCODED).TYPECAST_NVLIST_T(‘=’,’&’).VALUE(“passwd”).DECODE_USING_TEXT_MODE”

add authentication loginSchemaPolicy lschema_dual_auth_pol -rule true -action dual_auth_schema

bind authentication vserver aaa_vserver -policy lschema_dual_auth_pol -priority 110 -gotoPriorityExpression END

4. Create Authentication Policies and actions as below:

a. LDAP Authentication to register the device

add authentication ldapAction LDAP_Server -serverIP xx.xx.xx.xx -ldapBase “dc=citrix,dc=lab” -ldapBindDn administrator@citrix.lab -ldapBindDnPassword efa9d541bf30abbc164ae093f985ac5973dvafca27de626585999e7c288acabb470 -encrypted -encryptmethod ENCMTHD_3 -ldapLoginName sAMAccountName -groupAttrName memberOf -subAttributeName cn

add authentication Policy manage_OTP_LDAP -rule “HTTP.REQ.COOKIE.VALUE(“NSC_TASS”).EQ(“manageotp”)” -action LDAP_Server

b. Managing the devices:

add authentication ldapAction LDAP_manage_OTP -serverIP xx.xx.xx.xx -ldapBase “dc=citrix,dc=lab” -ldapBindDn administrator@citrix.lab -ldapBindDnPassword 53b2711cc22386574fb48e29045b5b3dffadcf3e6f7739b11e545114cefb6123df9 -encrypted -encryptmethod ENCMTHD_3 -ldapLoginName sAMAccountName -groupAttrName memberOf -subAttributeName cn -authentication DISABLED -OTPSecret userParameters

add authentication Policy manage_OTP -rule true -action LDAP_manage_OTP

c. For verifying the OTP:

add authentication ldapAction LDAP_verify_OTP -serverIP xx.xx.xx.xx -ldapBase “dc=citrix,dc=lab” -ldapBindDn administrator@citrix.lab -ldapBindDnPassword 67ea96bvve5b149f974acb0bada4234e526c80a663d3bd63022205ea6cb8bc899c -encrypted -encryptmethod ENCMTHD_3 -ldapLoginName sAMAccountName -searchFilter “userParameters>=#@” -groupAttrName memberOf -subAttributeName cn -authentication DISABLED -OTPSecret userParameters

add authentication Policy Verify_OTP -rule true -action LDAP_verify_OTP

d. LDAP Policy for the delayed LDAP Auth

add authentication Policy LDAP_adv_Auth -rule true -action LDAP_Server

5. Create Policy Labels as below:

a. Policy Label for verifying OTP when device is registered

add authentication policylabel Verify_OTP -loginSchema LSCHEMA_INT

bind authentication policylabel Verify_OTP -policyName Verify_OTP -priority 100 -gotoPriorityExpression END

b. Policy Label for managing registered devices:

add authentication policylabel manage_otp -loginSchema LSCHEMA_INT

bind authentication policylabel manage_otp -policyName manage_OTP -priority 100 -gotoPriorityExpression NEXT -nextFactor Verify_OTP

c. For delayed LDAP Authentication during dual authentication

add authentication loginSchema noschema_schema -authenticationSchema noschema -passwdExpression “HTTP.REQ.BODY(1000).SET_TEXT_MODE(URLENCODED).TYPECAST_NVLIST_T(‘=’,’&’).VALUE(“passwd1″).DECODE_USING_TEXT_MODE”

add authentication policylabel LDAP_Policylabel -loginSchema noschema_schema

bind authentication policylabel LDAP_Policylabel -policyName LDAP_adv_Auth -priority 100 -gotoPriorityExpression END

6. Bind the Authentication Policies to AAA Vserver

bind authentication vserver aaa_vserver -policy manage_OTP_LDAP -priority 100 -nextFactor manage_otp -gotoPriorityExpression NEXT

bind authentication vserver aaa_vserver -policy Verify_OTP -priority 110 -nextFactor LDAP_Policylabel -gotoPriorityExpression NEXT

Note: In the preceding sample the LDAP policy name for dual authentication is LDAP_adv_Auth and otp_policy name is Verify_OTP

If this configuration is completed on a NetScaler Gateway setup, then you need to create a authentication profile and bind it to the NetScaler Gateway vserver:

> add authentication authnProfile gatewayauth -authnVsName AAA_SERVER> set vpn vserver ICA1 -authnProfile gatewayauth

ICA1 is the NetScaler gateway virtual server name

Using the preceding steps you can prompt 2 passwords using the browser but process the second password first.

Configuration through Visualizer

1. Go To Security > AAA-Application Traffic > nFactor Visualizer > nFactor Flow and click on Add

2. Click on the + sign to add the nFactor Flow

3. ​​​​ Add Factor, this will be the name of the nFactor Flow

4. No Schema is needed in this factor, as we will be checking if the user needs to register or get authenticated.

5. Click Add Policy to add an authentication Policy with action NO_AUTHN. In Expression type“HTTP.REQ.COOKIE.VALUE(“NSC_TASS”).EQ(“manageotp”)”

6. Bind the policy created above and click on Add

7. Click on blue + sign to add another policy for the dual authentication if users are already registered

8. Create another Authentication Policy with Action Type NO_AUTHN

9. Click on green + sign next to the Manage_OTP_Check to create the next factor to get the users registered

10. Select the Create Factor radio button and type in a name for this factor in Factor Name

11. Click on Add Schema and choose the schema for registering devices. This schema can be created by following step 2 of CLI configuration

12. Click on Add Policy and Choose the authentication policy to manage the device. This Authentication Policy can be created by the command in step 4 b of CLI configuration

13. Click on green + sign next to manage_OTP to add another factor for verification of OTP once device is added

14. Click on Select Factor and type in a name for the factor in Factor Name

15, No Schema is needed for this factor. Click on Add Policy to select a policy for OTP Authentication and click on Add

16. To create a factor for dual authentication, click on green + sign next to Dual_Auth_Check in first factor

17. Select Create Factor to add another factor for dual authentication

18. Click on Add Schema to choose a schema for dual authentication. This schema can be added by command given in step 3 of CLI Configuration

19. Click on Add Policy to add the authentication policy to verify OTP before LDAP Authentication

20. Click on green + sign to add another factor for the delayed LDAP Authentication

21. Select the Create Factor and type in the Factor Name

22. Only Policy will be added in this factor. Click on Add Policy to add LDAP Authentication Policy

23. Click on Done and this will will automatically save the configuration.

24. Select the nFactor Flow just created and bind it to a AAA Virtual Server by clicking on Bind to Authentication Server and then Create

NOTE: Bind and Unbind the nFactor Flow through the option given in nFactor Flow under Show Bindings only.

To unbind the nFactor Flow:

1. Select the nFactor Flow and Click on Show Bindings

2. Select the Authentication VServer and Click Unbind


  • No Related Posts

Leave a Reply