Netscaler/ADC Native One Time Passwords – Baseconfig

Citrix ADC / Netscaler Native OTP

Since I am, as already known, quite busy with the topic Citrix Netscaler and I am always dealing with all possible authentication methods related to it in my projects, I would like to start writing down my knowledge about it here. I think I will make a blog series out of it. Today I want to start with the basic configuration and some general information about Netscaler Native OTP.

I think this topic is especially interesting if you have no other OTP integrations in your environment or you want to start with OTP or Multifactor without investing a lot of money. In most Netscaler projects the customers already have a Radius infrastructure and I just connect the Netscaler to the existing system. But I personally think the Native OTP story is a really cool thing. Just read on and convince yourself 🙂

Content

1. Step-by-Step Guide over Netscaler/ADC GUI
2. Troubleshooting Guide Netscaler Native OTP
3. CLI Commands to setup Native OTP

what I want to do…

The initial situation in my LAB is as follows:
The Netscaler version I use is 12.1 Build 55.18.
I already have a Contentswitch with several policies, corresponding loadbalancers and webservers behind it. The authentication is currently done against an Active Directory. Here my users currently authenticate themselves with username and password only. In this article I describe how you can set up Netscaler Native OTP (One time Passwords) directly on the Netscaler. Without the need of an additional system. I will not go into the configuration for authentication against the Active Directory here. If you still have questions about the configuration, feel free to contact me via mail or the comments.

The aim is to have a standard login page once after configuration, where the user must then enter user name, password and passcoude (OTP). I would also like to have an additional page where he can manage his OTPs or device links. This page should only be accessible with user name and password.

The feature Netscaler Native OTP is not new, it exists for Netscaler/ADC since spring 2019, but since I use it over and over again, I will start the planned blog series with this topic anyway. I think especially if you use Netscaler only as a gateway, it is easier if you don’t need a third party system to offer OTPs.

Let’s go!
Now follows the instructions with screenshots and explanations. If you want to see the CLI Commands directly, you can jump down here.
GO to CLI Commands

Step-by-Step over the Web GUI

1. create 2 Authentication Virtual Servers

As you can see, I have already set up an authentication server on my Netscaler. Here the authentication for the Active Directory already works.

Next, I copy the LDAP server used for this and adjust one of the settings in the copy. First, I deactivate the authentication, because this service should only be used to check if users are already using OTPs and to write the OTP attribute (userParameters). So that we know whether users have already registered a device for OTP, we write a user attribute in the Active Directory. In this way, administrators can subsequently check at any time whether the user has registered a device for OTP.

Important is if you copy the LADP server, you have to enter the administrator password for your service user again, otherwise the authentication or the connection via the service user won’t work In my LAB I use LDAP over port 389, I wouldn’t do that in production environments, please use Secure LDAP (TCP 636 with SSL).

Afterwards you can see the screenshots for the two LDAP servers:

Authentication server for authentication to Active Directory

Authentication server for the OTP check

Here it is important that you also give the service user the right in Active Directory to edit the attribute “userParameters”.

2. create authentication policies

Here you have another example. Please also create the second one with the expression “true”.

3. create login schemes

First I create the required login schemes. We need 3 login schemes.

Login schema – two-factor authentication

Login schema – No authentication

Login schema – Simple authentication + OTP management page

4. create login schema policies

Now I create the guidelines for the individual login schemes.

Note: Actually you only need 2 guidelines here. But I have created a third one here. You can access the management page for OTP either by URL or by hostname. Since I want to use both methods later, I created both guidelines. But you only need one of the two guidelines. In my LAB I currently only use the URL to manage the OTPs.

Login Schema Policy – two-factor authentication

Login schema policy (URL) – Simple authentication + OTP management page

Login schema policy (hostname) – Simple authentication + OTP management page

5. Create Authentication Policy Label

I have bound the auth_pol_otp_validation policy with priority 10 to the label. Here I also bind the login schema “lschema_noschema” because I don’t want to do any authentication at this point but only your validation.

6. bind them to the authentication server

After I have created all the necessary policies, labels and whatever else we need, we now bind them to the authentication server. If you already have a “Basic Authentication Policy” or one for authentication, you may need to remove it or unbind it.

Binding the Authentication Policy

Binding the login schema policies

Now I bind the Authentication Login Schema Policies in order. I have made screenshots of the single bindings with details.

You don’t have to use this following policy, I have already bound it, because later I want to manage the OTPs also by calling a hostname.

So, now that I have bound all the guidelines accordingly, let’s give it a try.

7. Test the Netscaler Native OTP configuration

Here you see first the normal login page with 2 factor. The user can login here with username, password and passcode.

In this case, if the user enters “https://LOGINSITE/manageotp “, he or she can log in with user name and password.

After I have successfully authenticated myself, I can add or delete new devices for OTP.

If you add a new device, you only need to scan the barcode that is displayed. When it is scanned, you can click “OK”.

I do the whole thing through Google Authenticator.

Now I scan the barcode in the OTP app.

If the barcode is successfully scanned and the OTP is connected, the One Time Password is displayed in the app.

You can test the OTP connection if you want.

Just enter the OTP displayed in the app on your smartphone into the OTP field on the login page and confirm with Test.

Now that everything is set up and worked out, you can use the login page with 2 factor.

I hope this article has helped you. Give it a try and give me a short feedback. You can get more information about Netscaler in my other posts.

Troubleshooting

I hope I can give you a view tips for troubleshooting Native OTP.

Passcode Stats

To get the OTP counters on Netscaler, you can use the following cli command:

nsconmsg -g aaa_otp -d stats

Output Example:

root@ns# nsconmsg -g aaa_otp -d stats
Displaying current counter value information
NetScaler V20 Performance Data
reltime:mili second between two records Thu Jun 15 21:00:38 2017
Index reltime counter-value symbol-name&device-no
0 22 aaa _ otp _ tot _ verify _ success
5 0 3 aaa _ otp _ tot _ verify _ fail
18 0 158 aaa _ otp _ tot _ manage _ success
11 0 0 aaa _ otp _ tot _ manage _ fail
Done.

Explanation:

aaa_otp_tot_verify_success :
shows you the total number of successful passcode verification

aaa_otp_tot_verify_fail:
shows you the total number of failed passcode verification

aaa_otp_tot_manage_success:
shows you the total number of successful device registration

aaa_otp_tot_manage_success:
total number of failed device registration

Check the logs

If you want to check the logs, you should set the loglevel to DEBUG before.

set syslogparams -loglevel DEBUG

Logentry for Device registration it it is successful.

"OTP registration succeeded, next factor: , for user: tom@lab.local "

Successful Passcode Validation

"AAAD sent success while managing otp, operation: 5, user: <tom@lab.local>"

OTP Device was successfully deleted

"AAAD sent success while managing otp, operation: 2, user: <tom@lab.local>"

Userlogon was successful

extracted OTP secret from aaad, current factor: manage _ otp _ flow _ label, for
user: tom@lab.local, verifying incoming otp "
"(0-311) Authentication succeeded, current factor: manage _ otp _ flow _ label, for
user: tom@lab.local "

CLI Commands

#Create auth servers
add authentication ldapAction auth_srv_ldap_lab01_logon -serverIP 192.168.1.200 -ldapBase "DC=lab,DC=local" -ldapBindDn YOUR_USER@YOUR_DOMAIN -ldapBindDnPassword YOUR_PASSWORD -encrypted -encryptmethod ENCMTHD_3 -ldapLoginName sAMAccountName -groupAttrName memberOf -subAttributeName cn -ssoNameAttribute cn -nestedGroupExtraction ON -groupNameIdentifier sAMAccountName -groupSearchAttribute sAMAccountName
add authentication ldapAction auth_srv_ldap_lab01_checkOTP -serverIP 192.168.1.200 -ldapBase "DC=lab,DC=local" -ldapBindDn YOUR_USER@YOUR_DOMAIN -ldapBindDnPassword YOUR_PASSWORD -encrypted -encryptmethod ENCMTHD_3 -ldapLoginName sAMAccountName -groupAttrName memberOf -subAttributeName cn -ssoNameAttribute cn -authentication DISABLED -nestedGroupExtraction ON -groupNameIdentifier sAMAccountName -groupSearchAttribute sAMAccountName -OTPSecret userParameters

# create login schemas
add authentication loginSchema lscheme_dual_factor -authenticationSchema "/nsconfig/loginschema/LoginSchema/DualAuth.xml"
add authentication loginSchema lschema_noschema -authenticationSchema noschema
add authentication loginSchema lschema_single_auth_manage_otp -authenticationSchema "/nsconfig/loginschema/LoginSchema/SingleAuthManageOTP.xml"

# create login schema policies
add authentication loginSchemaPolicy lschema_pol_dual_factor -rule true -action lscheme_dual_factor
add authentication loginSchemaPolicy lschema_pol_single_auth_manage_otp_by_url -rule "http.req.cookie.value(\"NSC_TASS\").contains(\"manageotp\")" -action lschema_single_auth_manage_otp
add authentication loginSchemaPolicy lschama_pol_single_auth_manage_otp_by_host -rule "HTTP.REQ.HEADER(\"host\").EQ(\"manageotp.thomaspreischl.de\")" -action lschema_single_auth_manage_otp

# create authentication policys
add authentication Policy auth_pol_otp_validation -rule true -action auth_srv_ldap_lab01_checkOTP
add authentication Policy auth_pol_ldap_logon -rule true -action auth_srv_ldap_lab01_logon

# create authentication policylabe
add authentication policylabel manage_otp_flow_label -loginSchema lschema_noschema

# bind authentication policy to policylabel
bind authentication policylabel manage_otp_flow_label -policyName auth_pol_otp_validation -priority 10 -gotoPriorityExpression NEXT

# bind login schema to authserver
bind authentication vserver auth_vs_lab01 -policy lschema_pol_single_auth_manage_otp_by_url -priority 10 -gotoPriorityExpression END
bind authentication vserver auth_vs_lab01 -policy lschama_pol_single_auth_manage_otp_by_host -priority 20 -gotoPriorityExpression END
bind authentication vserver auth_vs_lab01 -policy lschema_pol_dual_factor -priority 30 -gotoPriorityExpression END

# bind authentication policy label to authserver
bind authentication vserver auth_vs_lab01 -policy auth_pol_ldap_logon -priority 10 -nextFactor manage_otp_flow_label -gotoPriorityExpression NEXT