Consider the following scenario, you are using LDAP + SMS passcode RADIUS authentication.
The behavior is that user will first authenticate to LDAP, and then an SMS passcode is sent to their mobile device, which is used for authentication. Unless the user is authenticated to LDAP first, they will not receive the SMS. This is a 2-step authentication.
On the NetScaler Gateway, if you enable primary authentication as LDAP and secondary authentication as RADIUS then the user is prompted for two passwords. This leads to a tricky situation since the user cannot obtain the SMS password until they authenticate once with LDAP.
This is a limitation, and you have to use RADIUS server and have authentication on RADIUS be done using Active Directory (LDAP).
Complete the following steps to workaround this issue:
Have two Authentication on the NetScaler Gateway - primary as LDAP and secondary as RADIUS.
In the LDAP policy, uncheck Authentication and retain other settings as per your requirement.
On NetScaler, you will only notice one password prompt during authentication in browser as well as Receiver.
Once you will enter the username and password, the username will go to LDAP and you will no longer be prompted for authentication since authentication is unchecked. But because of group extraction, NetScaler will extract the username and password and after that it will go to RADIUS and will authenticate there.
You can verify the aaad.debug logs to check if group extraction happens along with RADIUS authentication:/home/build/rs_110_62_3_RTM/usr.src/netscaler/aaad/ldap_drv.c[370]: receive_ldap_user_search_event Binding user... 1 entries Fri Nov 20 21:17:20 2015 /home/build/rs_110_62_3_RTM/usr.src/netscaler/aaad/ldap_drv.c[395]: receive_ldap_user_search_event User DN= <<CN=farhan,CN=Users,DC=EMEA,DC=in>> Fri Nov 20 21:17:20 2015 /home/build/rs_110_62_3_RTM/usr.src/netscaler/aaad/ldap_drv.c[487]: receive_ldap_user_search_event built group string for farhan of:Group1 Group2 farhan-group Administrators Fri Nov 20 21:17:20 2015 /home/build/rs_110_62_3_RTM/usr.src/netscaler/aaad/ldap_drv.c[496]: receive_ldap_user_search_event AAA_LDAP_FLAGS_NO_AUTH: sending accept Fri Nov 20 21:17:20 2015 /home/build/rs_110_62_3_RTM/usr.src/netscaler/aaad/naaad.c[2261]: send_accept sending accept to kernel for : farhan Fri Nov 20 21:17:20 2015 /home/build/rs_110_62_3_RTM/usr.src/netscaler/aaad/naaad.c[858]: process_kernel_socket call to authenticate user :farhan, vsid :10913 Fri Nov 20 21:17:20 2015 /home/build/rs_110_62_3_RTM/usr.src/netscaler/aaad/naaad.c[3034]: start_cascade_auth starting cascade authentication Fri Nov 20 21:17:20 2015 /home/build/rs_110_62_3_RTM/usr.src/netscaler/aaad/radius_drv.c[771]: continue_radius_auth attempting to auth farhan @ 10.104.23.140
In case if you still need the LDAP authentication for the user, then you can create a policy on the RADIUS server to authenticate the credentials passed by NetScaler with Active Directory.
The Receiver version should be 4.4 or above to implement this workaround. At present this workaround is not supported for Mobile Receive
You may also add the following rewrite action which will modify the content of index.html file (similar to workaround 3) which is sent to the client (the original index.html remains the same):
add rewrite action RW_ACT_remove_pw2_receiver insert_after_all "http.res.body(1024)" q/"\r\n"+"<META http-equiv=\"X-Citrix-AM-GatewayAuthType\" content=\"SMS\">"/ -pattern "content=\"text/html; charset=UTF-8\">"
add rewrite policy RW_POL_remove_pw2_Receiver "http.req.url.path.endswith(\"vpn/index.html\")" RW_ACT_remove_pw2_receiver
The Receiver version should be 4.4 or above to implement this workaround. At present this workaround is not supported for Mobile Receivers.
Add the following line to this file:
<META http-equiv="X-Citrix-AM-GatewayAuthType" content="SMS"> below the line that reads <META http-equiv="Content-Type" content="text/html; charset=UTF-8">
The following is an example for your reference:
<!DOCTYPE html PUBLIC "-//W3C//DTD XDEV_HTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <title>Netscaler Gateway</title> <link rel="SHORTCUT ICON" href="/vpn/images/AccessGateway.ico" type="image/vnd.microsoft.icon"> <META http-equiv="Content-Type" content="text/html; charset=UTF-8"> <META http-equiv="X-Citrix-AM-GatewayAuthType" content="SMS"> <META content=noindex,nofollow,noarchive name=robots> <link href="/vpn/js/rdx/core/css/rdx.css" rel="stylesheet" type="text/css"/>
You can notice that the passcode field is hidden after making the preceding change:
After entering the password, you are prompted for OTP passcode by RADIUS.
In case you are using a browser then you can refer to one of the Citrix Blogs on customization which work with the browsers.