Tag: Communications protocols

Radius server test connectivity fails : Error: 1812/udp’ is not a valid Radius authentication port or Radius client is not configured properly in the Radius server.

Citrix Leave a comment
We have seen certain cases where a PBR is configured for the management IP (NSIP) pointing to a next hop gateway.

In case the ADC does not have a SNIP in the same subnet as the next hop configured, then the packet might never leave the ADC and hence it would fail.

No SNIP causes the Radius packet from Freebsd to Virtual server to be not sent to the actual server.

Related:

  • No Related Posts

Citrix Receiver for Web: Error “Cannot complete your request”

Citrix Leave a comment
There can be multiple reasons behind this issue as the error message we are getting on Web browser is very generic. To isolate and resolve this issue please follow these steps:

1. From test machine ping the base URL and confirm the IP you are getting:

  • Case 1: Unable to resolve any IP
Make sure the URL in base URL is correct and make sure there is a DNS entry for the URL
  • Case 2: Able to resolve Load Balancing VIPs IP
In this case we have to isolate whether it’s a Storefront issue or NetScaler. We also need to verify all the StoreFront servers.
  1. Browse “Store for Web” using IP address of StoreFront/localhost on StoreFront server and confirm if you are able to login and see resources, check this on all the StoreFront servers
  2. If you are able to login and see resources then it should be a configuration on LB VIP causing the issue then troubleshooting should be done on NetScaler.
  3. If you are still getting same error then troubleshooting should be done on StoreFront.
  • Case 3: IP resolving to one of the StoreFront’s IP
We have to troubleshoot Storefront and check why it’s causing issue.
  • Case 4: Incorrect Trusted domain Configured
Incorrect trusted domain configured for NetScaler Passthrough

To resolved: Correct the domain name or select “All Domains” under “Manage Authentication Methods” for NetScaler Passthrough


Troubleshooting StoreFront:
  1. Ping the base URL from StoreFront servers, each StoreFront server should resolve the base URL to it’s own IP if now then create a host entry (https://support.citrix.com/article/CTX235907).
  2. Make sure you are able to browse default IIS page as StoreFront is dependent on IIS.
  3. Make sure that the Default Store was never deleted from the StoreFront server. Deleting the default Store can corrupt StoreFront and we may need to reinstall StoreFront.
  4. Confirm if StoreFront services are running, Citrix Cluster join service can be in disable state(only works when we add a new server to Server Group).
  5. Check event viewer on StoreFront server. There can be multiple Receiver for Web events, e.g. “Failed to run discovery” or “Unable to resolve/find URL at 443/80”.
    • This can happen because of bindings on IIS. Make sure if the base URL is https then there should be https binding on StoreFront server with valid certificates if not then change base URL to http and confirm you have http/port 80 binding on IIS.
      • User-added image
  6. Check authentication methods in Store> Manage Authentication Methods
    • If authentication method available is Username and Password and you have selected Smart Card in Manage Authentication Methods then StoreFront will not find a way to authenticate users and give errors

Related:

  • No Related Posts

Cisco NX-OS Software ICMP Version 6 Memory Leak Denial of Service Vulnerability

Cisco Leave a comment

A vulnerability in ICMP Version 6 (ICMPv6) processing in Cisco NX-OS Software could allow an unauthenticated, remote attacker to cause a slow system memory leak, which over time could lead to a denial of service (DoS) condition.

This vulnerability is due to improper error handling when an IPv6-configured interface receives a specific type of ICMPv6 packet. An attacker could exploit this vulnerability by sending a sustained rate of crafted ICMPv6 packets to a local IPv6 address on a targeted device. A successful exploit could allow the attacker to cause a system memory leak in the ICMPv6 process on the device. As a result, the ICMPv6 process could run out of system memory and stop processing traffic. The device could then drop all ICMPv6 packets, causing traffic instability on the device. Restoring device functionality would require a device reboot.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fxos-nxos-icmpv6-dos-YD55jVCq

Security Impact Rating: Medium

CVE: CVE-2021-1229

Related:

  • No Related Posts

nFactor – Certificate Fallback to LDAP in Same Cascade with One Virtual Server for Certificate and LDAP Authentication on Citrix ADC

Citrix Leave a comment

Note: According to RFC6176 from Internet Engineering Task Force (ITEF), TLS servers must not support SSLv2. The NetScaler appliance does not support SSLv2 from release 12.1.

This article describes following scenario:

  1. 1st factor is configured for either Certificate or LDAP Authentication.

  2. If a user fails to present Certificate for Authentication, there is an option to fall down to LDAP Authentication.

  3. Only a single Authentication vserver is needed to configure both.

This section describes these steps in detail. The first section briefly introduces the entities that are encountered in this document, and in general for nFactor authentication. The next section pictographically demonstrates the flow. The following sections have example “LoginSchema” that can be used to realize the logon form, and the relevant configuration.

Entities used in nFactor

LoginSchema

Login Schema is an XML construct that is aimed at providing sufficient information to the UI tier so that it can generate user interface based on the information that is sent in this XML blob. LoginSchema is a logical representation of logon form in XML medium.

It can be added as:

add authentication loginSchema <name> -authenticationSchema <XML-Blob> -userExpression <Expression> ­-passwordExpression <Expression>

where authenticationSchema is a well-structured XML that defines the way login form is rendered. UserExpression is used to extract username from login attempt. Likewise passwordExpression is used to extract password.

Authentication Policylabel

Auth Policy label is a collection of authentication policies for a particular factor. It is recommended that these are pseudo-homogenous policies, which means, the credentials received from user apply to all the policies in the cascade. However, there are exceptions to this when a fallback option is configured or feedback mechanism is intended.

Authentication policy labels constitute secondary/user-defined factors. With nFactor, there’s no single “secondary” cascade. There could be “N” secondary factors based on configuration. There could be as many policy labels as desired and the number of factors for a given authentication is defined by the longest sequence of policylabels beginning with the vserver cascade.

When an authentication policy is bound to authentication vserver, specify nextFactor, which represents a policylabel/factor that would be taken if the policy succeeds. Likewise, when policies are bound to policylabels, nextFactor specifies the next policylabel to continue if the policy succeeds.

It can be added as:

add authentication policylabel <name> -loginSchema <loginSchemaName>

Where, loginSchemaName will be the login schema that we want to associate with this authentication factor.

We can bind authentication policies to this label:

bind authentication policylabel <name> -policy LDAP –priority 10 –nextfactor <nextFactorLabelName>

Use Case Description

  1. User accesses TM vserver and he is redirected to Authentication vserver.

  2. If User Certificate is present in the client device, he will see a prompt as below to select the certificate for authentication:

    User-added image

  3. Upon selecting the appropriate certificate, user will be authenticated and granted access to backend resource.

  4. Now in case if user Certificate is absent, then user will see a login page for LDAP authentication as below and on submitting the user credentials, he will be authenticated and granted access to backend resource.

    User-added image

Users see a login page with Username and Password field. The fields such as labels for username and password can be customized.

Here’s the example used for this specific representation of logon form:

<?xml version="1.0" encoding="UTF-8"?><AuthenticateResponse xmlns="http://citrix.com/authentication/response/1" ><Status >success </Status><Result >more-info</Result><StateContext/><AuthenticationRequirements><PostBack> /nf/auth/doAuthentication.do</PostBack ><CancelPostBack>/Citrix/Authentication/ExplicitForms/CancelAuthenticate</CancelPostBack><CancelButtonText>Cancel</CancelButtonText><Requirements><Requirement><Credential><ID>login</ID><SaveID>ExplicitForms-Username</SaveID><Type>username</Type></Credential><Label><Text>Enter Login Name:</Text><Type>plain</Type></Label><Input><AssistiveText>Please supply either username as saamaccountname</AssistiveText><Text><Secret>false</Secret><ReadOnly>false</ReadOnly><InitialValue></InitialValue><Constraint>.+</Constraint></Text></Input></Requirement><Requirement><Credential><ID>passwd</ID><SaveID>ExplicitForms-Password</SaveID><Type>password</Type></Credential><Label><Text>Password:</Text><Type>plain</Type></Label><Input><Text><Secret>true</Secret><ReadOnly>false</ReadOnly><InitialValue></InitialValue><Constraint>.+</Constraint></Text></Input></Requirement><Requirement><Credential><Type>none</Type></Credential><Label><Text> Hello , Please submit password to continue Login ...</Text><Type>confirmation</Type></Label><Input /></Requirement></Requirements></AuthenticationRequirements></AuthenticateResponse>

All the customizable portions of the logon form are highlighted here. Administrators can modify these values to suit their needs.

nFactor Flow Presentation


Policies for this use-case

add lb vserver lb_ssl SSL 10.217.28.166 443 -persistenceType NONE -cltTimeout 180 -AuthenticationHost auth.aaatm.com -Authentication ON -authnVsName avnadd authentication vserver avn SSL 10.217.28.167 443 -AuthenticationDomain aaatm.combind authentication vserver avn -policy <Certificate Auth Policy> -priority 1 -gotoPriorityExpression NEXTbind authentication vserver avn -policy <LDAP Auth Policy> -priority 2 -gotoPriorityExpression NEXT

The preceding configuration describes adding a TM vserver for resource access, adding Authentication vserver for securing TM vserver, and relevant policies for this use-case. Portions highlighted in “yellow” are to replaced with appropriate authentication policies by the administrators.

The GOTO Priority expression by default is NEXT, so that we fall down to the next policy if it fails.

Certificate and LDAP Policy Configuration

The following is an examples of certificate and LDAP policy configuration:

add authentication certAction ca -userNameField SubjectAltName:PrincipalName

add authenticationpolicy cert -rule true -action ca

add authentication ldapAction ldap-new -serverIP 10.217.28.180 -ldapBase “cn=users,dc=aaatm,dc=com” -ldapBindDn administrator@aaatm.com -ldapBindDnPassword 1.linux -ldapLoginName sAMAccountName -groupattrName memberof -subAttributeName CN

add authenticationpolicy ldap-new -rule true -action ldap-new

Configuration Through Visualizer

1. Go To Security > AAA-Application Traffic > nFactor Visualizer > nFactor Flow and click on Add

2. Click on the + sign to add the nFactor Flow


3. Add Factor, this will be the name of the nFactor Flow


4. No schema needs to be selected for this configuration as the Cert Authentication doesn’t require a login schema and if the Authentication falls back to LDAP, the default login page is used.


5. Click on Add Policy and then Add after Choosing the Cert Authentication Policy


For more information on Client Cert Authentication see, CTX205823

6. Click on the blue plus sign below the Cert_Policy just selected to add LDAP Authentication Policy


7. Select the LDAP_Policy and then Add


For more information on creating LDAP Authentication see,Configuring LDAP Authentication

8. Click on Done this will automatically save the configuration.

9. Select the nFactor Flow just created and bind it to a AAA Virtual Server by clicking on Bind to Authentication Server and then Create

NOTE:Bind and Unbind the nFatctor Flow through he option given in nFactor Flow under Show Bindings only.

To unbind the nFactor Flow:

1. Select the nFactor Flow and Click on Show Bindings

2. Select the Authentication VServer and Click Unbind

Important ns.log Messages

  1. For the case when Certificate is absent:

ClientVersion TLSv1.2 - CipherSuite "AES-256-CBC-SHA SSLv2 Non-Export 256-bit" - Session New -NO_CLIENT_CERT-Jul 30 21:08:50 <local0.debug> 127.0.0.2 07/30/2015:21:08:50 GMT 0-PPE-2 : default AAA Message 437 0 : "NFactor: Cert Auth: certificate is absent, falling back nFactor login"Jul 30 21:08:50 <local0.debug> 127.0.0.2 07/30/2015:21:08:50 GMT 0-PPE-2 : default AAATM Message 438 0 : "LoginSchema policyeval did not return an active policy"Jul 30 21:08:50 <local0.debug> 127.0.0.2 07/30/2015:21:08:50 GMT 0-PPE-0 : default SSLLOG SSL_HANDSHAKE_SUCCESS 524 0 : SPCBId 568 - ClientIP 10.252.112.163 - ClientPort 54500 - VserverServiceIP 10.217.28.167 - VserverServicePort 443 - ClientVersion TLSv1.2 - CipherSuite "AES-256-CBC-SHA SSLv2 Non-Export 256-bit" - Session NewJul 30 21:09:11 <local0.debug> 127.0.0.2 07/30/2015:21:09:11 GMT 0-PPE-2 : default SSLVPN Message 439 0 : "core 2: ns_get_username_password: loginschema gleaned is default "Jul 30 21:09:11 <local0.debug> 127.0.0.2 07/30/2015:21:09:11 GMT 0-PPE-2 : default SSLVPN Message 440 0 : "aaad_authenticate_req: copying policylabel name avn to aaa info, type 33 for auth "Jul 30 21:09:11 <local0.debug> 127.0.0.2 07/30/2015:21:09:11 GMT 0-PPE-2 : default SSLVPN Message 441 0 : "sslvpn_extract_attributes_from_resp: attributes copied so far are user11.citrix "Jul 30 21:09:11 <local0.debug> 127.0.0.2 07/30/2015:21:09:11 GMT 0-PPE-2 : default SSLVPN Message 442 0 : "sslvpn_extract_attributes_from_resp: total len copied 23, mask 0x5 "Jul 30 21:09:11 <local0.debug> 127.0.0.2 07/30/2015:21:09:11 GMT 0-PPE-2 : default AAATM Message 443 0 : "SAMLIDP: Checking whether current flow is SAML IdP flow, input aHR0cDovL25zc3AuYWFhdG0uY29tL3Rlc3RtZS5odG1s"Jul 30 21:09:11 <local0.debug> 127.0.0.2 07/30/2015:21:09:11 GMT 0-PPE-2 : default AAATM Message 444 0 : "Invaid tass cookie while checking whether current authentication is due to idp functionality: aHR0cDovL25zc3AuYWFhdG0uY29tL3Rlc3RtZS5odG1s "Jul 30 21:09:11 <local0.info> 127.0.0.2 07/30/2015:21:09:11 GMT 0-PPE-2 : default AAA EXTRACTED_GROUPS 445 0 : Extracted_groups "grp1,grp2,grp3,Group2,group1"

  1. For the case when Certificate is present:

Jul 30 21:10:36 <local0.debug> 127.0.0.2 07/30/2015:21:10:36 GMT 0-PPE-2 : default SSLLOG SSL_HANDSHAKE_SUCCESS 452 0 : SPCBId 596 - ClientIP 10.217.28.185 - ClientPort 57227 - VserverServiceIP 10.217.28.167 - VserverServicePort 443 - ClientVersion TLSv1.2 - CipherSuite "AES-256-CBC-SHA SSLv2 Non-Export 256-bit" - Session ReuseJul 30 21:11:02 <local0.debug> 127.0.0.2 07/30/2015:21:11:02 GMT 0-PPE-0 : default SSLLOG SSL_HANDSHAKE_SUCCESS 539 0 : SPCBId 578 - ClientIP 10.217.28.185 - ClientPort 57226 - VserverServiceIP 10.217.28.167 - VserverServicePort 443 - ClientVersion TLSv1.2 - CipherSuite "AES-256-CBC-SHA SSLv2 Non-Export 256-bit" - Session New- CLIENT_AUTHENTICATED -SerialNumber "140000000FAED08CAE9B092FEF00000000000F" - SignatureAlgorithm "sha1WithRSAEncryption" - ValidFrom "Mar 13 21:05:01 2015 GMT" - ValidTo "Mar 12 21:05:01 2016 GMT"Jul 30 21:11:02 <local0.debug> 127.0.0.2 07/30/2015:21:11:02 GMT 0-PPE-0 : default SSLLOG SSL_HANDSHAKE_ISSUERNAME 540 0 : SPCBId 578 - IssuerName " DC=com,DC=aaatm,CN=aaatm-DC-CA-1"Jul 30 21:11:02 <local0.debug> 127.0.0.2 07/30/2015:21:11:02 GMT 0-PPE-0 : default SSLLOG SSL_HANDSHAKE_SUBJECTNAME 541 0 : SPCBId 578 - SubjectName " DC=com,DC=aaatm,CN=Users,CN=user2"Jul 30 21:11:02 <local0.debug> 127.0.0.2 07/30/2015:21:11:02 GMT 0-PPE-0 : default AAA Message 542 0 : "NFactor: Successfully completed cert auth, nextfactor is "Jul 30 21:11:02 <local0.info> 127.0.0.2 07/30/2015:21:11:02 GMT 0-PPE-0 : default AAATM LOGIN 543 0 : Context users@10.217.28.185 - SessionId: 37- User users - Client_ip 10.217.28.185 - Nat_ip "Mapped Ip" - Vserver 10.217.28.167:443 - Browser_type "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0" - Group(s) "N/A"Jul 30 21:11:02 <local0.debug> 127.0.0.2 07/30/2015:21:11:02 GMT 0-PPE-0 : default SSLVPN Message 544 0 : "core 0: initClientForReuse: making aaa_service_fqdn_len 0 "

Related:

Can we disable telephony ALG (Sip-Helper) for VPN connections?

Citrix Leave a comment
Question

============

Can we disable ALG (SIP-Helper) for all VPN Sessions?

If possible for specific IP ranges or for AAA Groups?

How can we do this because it is causing phone connections to drop for a specific customer using other vendors for VoIP calls passing through the Gateway VPN.

Answer

=============

Unfortunately, It is not possible to bind the SIP Header drop policy on a VPN Gateway nor to a AAA group.

SIP re-write policies will get evaluated only against SIP protocol type binding points, like a LB VIP of type SIP.

As a possible suggestion path to disable SIP in ADC you could ::

====================

First – find a way to route all your SIP type traffic to a SIP LoadBalance Virtual Server

Second – bind the re-write policy to this LBV. This way, SIP re-write policy will get evaluated against SIP protocol traffic.

Like ::

=====================

add rewrite action Drop_SIP_Helper_Act delete_sip_header SIP-Helper

add rewrite policy Drop_SIP_Helper_Pol “SIP.REQ.HEADER(“SIP-Helper”).EXISTS” Drop_SIP_Helper_Act

This is the only way to disable SIP from ADC standpoint.

You could bind the re-write policy Globally as well, but even so, only SIP Protocol binding points (like SIP LB VIPs) will evaluate the policy.

Related:

  • No Related Posts

Can the management centre send a Radius “AVP” to the Radius server?

Symantec Community Leave a comment
I need a solution

Hi;

Can the management centre send a Radius attribute “AVP” to the Radius server? I mean in the Radius Authentication Request?  ideally, I would like the Management Centre to send the IP address of the user device supplying the username and password on the Management Centres login page, which in turn will be sent to the Radius server.

So ideally, the MC should send the following to the Radius server:  “username+password+the IP address of the device of the user trying to authenticate”.

Kindly

Wasfi

0

Related:

Configure StorageZone Controller for TLS v1.2 Inbound Connections

Citrix Leave a comment

Due to known vulnerabilities in older SSL/TLS protocols, administrators are looking to limit inbound connections to StorageZone Controllers to TLS v1.2. The following steps provide guidance on setting up your StorageZone Controller to accept TLS v1.2 connections as well as steps to configure ShareFile clients to communicate over TLS v1.2

Support is available as of StorageZones Controller v4.0 or higher. Validation was performed with an external-facing NetScaler configured with TLS v1.2 only for in-bound connections to the ContentSwitching vServer.

If protocols earlier than TLS v1.2 are disabled on the StorageZones Controller, all client software components that interact with the StorageZone must also support TLS v1.2. Windows sync clients require Microsoft .NET Framework 4.5.2 and registry updates to support TLS v1.2. Mac sync clients do not support TLSv1.2. See below for details on how to configure Windows sync machines to use TLS v1.2.​

Setup – NetScaler Configuration

At the Content Switch Virtual Server, modify SSL Parameters and enable TLS v1.2. You can also disable all other protocols.

User-added image

User-added image

ShareFile Windows Client Configuration

Requirements:

  1. .NET 4.5.2 or higher
  2. The following registry key(s) must be applied to your Windows client operating system in order for the .NET applications to communicate over TLS v1.2 outbound. A client OS restart is required

IMPORTANT: The following registry setting allows .NET 4.0 applications to use TLS v1.2. This setting will apply to all .NET 4 applications installed, so please use caution when applying to ensure there will be no impacts to any other applications.

[HKEY_LOCAL_MACHINESOFTWAREMicrosoft.NETFrameworkv4.0.30319]

SchUseStrongCrypto=dword:00000001

For 64-Bit systems, also include:

[HKEY_LOCAL_MACHINESOFTWAREWow6432NodeMicrosoft.NETFrameworkv4.0.30319]

SchUseStrongCrypto=dword:00000001

Tested Windows Operating Systems

  1. Windows 7 32-bit/64-bit
  2. Windows 8.1 32-bit/64-bit
  3. Windows 10 32-bit/64-bit

Tested Windows Clients

  1. ShareFile Sync Client for Windows
  2. ShareFile Outlook Plugin
  3. ShareFile Desktop App
  4. ShareFile Drive Mapper
  5. ShareFile PowerShell client

Tested ShareFile Mobile Clients

  1. iOS 8/9
  2. Windows 10 Metro
  3. Android 4.4.2, 5.0.2, 6

Tested Web Browsers

  1. IE 10 / 11 / Edge
  2. Chrome
  3. Firefox
  4. Safari

NetScaler Tested

  1. NetScaler 11.0 63.16


Not Supported

  1. ShareFile Sync for Mac
  2. Windows 8.1 Metro
  3. SFCLI

Related:

  • No Related Posts

What is TCP_REFRESH_MISS and GIMS request?

Symantec Community Leave a comment
I need a solution

I have enable policy trace for www.youtube.com and found TCP_REFRESH_MISS. I read in https://support.symantec.com/us/en/article.tech242963.html but I still don’t understand.

“TCP_REFRESH_MISS = A GIMS request to the server was forced and new content was returned.”

Does A GIMS request in the article mean proxy request to youtube or client request to proxy?

0

Related:

Citrix ADC UDP Counters

Citrix Leave a comment

This article contains information about the newnslog User Datagram Protocol (UDP) counters and its brief description.

Using the Counters

Log on to the ADC using an SSH client, change to SHELL, navigate to the /var/nslog directory, and then use the ‘nsconmsg’ command to see comprehensive statistics using the different counters available. For the detailed procedure refer to Citrix Blog – NetScaler ‘Counters’ Grab-Bag!.

The newnslog UDP Counters

The following table lists the newnslog UDP counters with a simple description of the counter.

newnslog Counter

Description

udp_err_unknown_services

UDP packets received (but dropped) on a NetScaler port number that is not assigned to any service.

udp_err_threshold

Number of times the UDP rate threshold is exceeded. If this counter continuously increases, first ensure that the UDP packets received are genuine. If they are, then increase the current rate threshold.

udp_err_badchecksums

Packets received with a UDP checksum error

udp_tot_rxpkts

UDP packets received

udp_tot_rxbytes

Bytes of UDP data received

udp_tot_txpkts

UDP packets transmitted

udp_tot_txbytes

Bytes of UDP data transmitted

udp_cur_ratethreshold

Limit for UDP packets handled every 10 milliseconds. Default value, 0, applies no limit. This is a configurable value using the set rateControl command.

Related: