Configure "Authentication Verification Order" Different to the Order Prompted on Logon Page Using NetScaler nFactor
Article ID: CTX229505
Updated On:
Description
This article describes how to configure "authentication verification order" different to the order prompted on logon page Using NetScaler nFactor.
Background
The following is the authentication field prompt order of the NetScaler Gateway logon page:- Login
- Domain password
- One-time password
However when the user fills the fields and presses Enter, the OTP verification should initialize first, and domain authentication should pass only after OTP verification.
Instructions
nFactor Flow Presentation through Visualizer
Configuration through the CLI
Complete the following to configure "authentication verification order" different to the order prompted on logon page Using NetScaler nFactor:
1. Configure a AAA (Authentication) virtual server lets say AAA_SERVER. An AAA virtual server is required for the n-factor authentication to work
2. Create a login Schema for Managing devices for OTP and bind it to the AAA Vserver
add authentication loginSchema manage_otp_schema -authenticationSchema "/nsconfig/loginschema/LoginSchema/SingleAuthManageOTP.xml"
add authentication loginSchemaPolicy lschema_manage_otp_pol -rule "HTTP.REQ.COOKIE.VALUE(\"NSC_TASS\").EQ(\"manageotp\")" -action manage_otp_schema
bind authentication vserver aaa_vserver -policy lschema_manage_otp_pol -priority 100 -gotoPriorityExpression END
3. Create a Login Schema for dual authentication. The following is a sample Login Schema for your reference:
add authentication loginSchema dual_auth_schema -authenticationSchema "/nsconfig/loginschema/LoginSchema/DualAuth.xml" -passwdExpression "HTTP.REQ.BODY(1000).SET_TEXT_MODE(URLENCODED).TYPECAST_NVLIST_T(\'=\',\'&\').VALUE(\"passwd\").DECODE_USING_TEXT_MODE"
add authentication loginSchemaPolicy lschema_dual_auth_pol -rule true -action dual_auth_schema
bind authentication vserver aaa_vserver -policy lschema_dual_auth_pol -priority 110 -gotoPriorityExpression END
4. Create Authentication Policies and actions as below:
a. LDAP Authentication to register the device
add authentication ldapAction LDAP_Server -serverIP xx.xx.xx.xx -ldapBase "dc=citrix,dc=lab" -ldapBindDn administrator@citrix.lab -ldapBindDnPassword efa9d541bf30abbc164ae093f985ac5973dvafca27de626585999e7c288acabb470 -encrypted -encryptmethod ENCMTHD_3 -ldapLoginName sAMAccountName -groupAttrName memberOf -subAttributeName cn
add authentication Policy manage_OTP_LDAP -rule "HTTP.REQ.COOKIE.VALUE(\"NSC_TASS\").EQ(\"manageotp\")" -action LDAP_Server
b. Managing the devices:
add authentication ldapAction LDAP_manage_OTP -serverIP xx.xx.xx.xx -ldapBase "dc=citrix,dc=lab" -ldapBindDn administrator@citrix.lab -ldapBindDnPassword 53b2711cc22386574fb48e29045b5b3dffadcf3e6f7739b11e545114cefb6123df9 -encrypted -encryptmethod ENCMTHD_3 -ldapLoginName sAMAccountName -groupAttrName memberOf -subAttributeName cn -authentication DISABLED -OTPSecret userParameters
add authentication Policy manage_OTP -rule true -action LDAP_manage_OTP
c. For verifying the OTP:
add authentication ldapAction LDAP_verify_OTP -serverIP xx.xx.xx.xx -ldapBase "dc=citrix,dc=lab" -ldapBindDn administrator@citrix.lab -ldapBindDnPassword 67ea96bvve5b149f974acb0bada4234e526c80a663d3bd63022205ea6cb8bc899c -encrypted -encryptmethod ENCMTHD_3 -ldapLoginName sAMAccountName -searchFilter "userParameters>=#@" -groupAttrName memberOf -subAttributeName cn -authentication DISABLED -OTPSecret userParameters
add authentication Policy Verify_OTP -rule true -action LDAP_verify_OTP
d. LDAP Policy for the delayed LDAP Auth
add authentication Policy LDAP_adv_Auth -rule true -action LDAP_Server
5. Create Policy Labels as below:
a. Policy Label for verifying OTP when device is registered
add authentication policylabel Verify_OTP -loginSchema LSCHEMA_INT
bind authentication policylabel Verify_OTP -policyName Verify_OTP -priority 100 -gotoPriorityExpression END
b. Policy Label for managing registered devices:
add authentication policylabel manage_otp -loginSchema LSCHEMA_INT
bind authentication policylabel manage_otp -policyName manage_OTP -priority 100 -gotoPriorityExpression NEXT -nextFactor Verify_OTP
c. For delayed LDAP Authentication during dual authentication
add authentication loginSchema noschema_schema -authenticationSchema noschema -passwdExpression "HTTP.REQ.BODY(1000).SET_TEXT_MODE(URLENCODED).TYPECAST_NVLIST_T(\'=\',\'&\').VALUE(\"passwd1\").DECODE_USING_TEXT_MODE"
add authentication policylabel LDAP_Policylabel -loginSchema noschema_schema
bind authentication policylabel LDAP_Policylabel -policyName LDAP_adv_Auth -priority 100 -gotoPriorityExpression END
6. Bind the Authentication Policies to AAA Vserver
bind authentication vserver aaa_vserver -policy manage_OTP_LDAP -priority 100 -nextFactor manage_otp -gotoPriorityExpression NEXT
bind authentication vserver aaa_vserver -policy Verify_OTP -priority 110 -nextFactor LDAP_Policylabel -gotoPriorityExpression NEXT
Note: In the preceding sample the LDAP policy name for dual authentication is LDAP_adv_Auth and otp_policy name is Verify_OTP
If this configuration is completed on a NetScaler Gateway setup, then you need to create a authentication profile and bind it to the NetScaler Gateway vserver:
> add authentication authnProfile gatewayauth -authnVsName AAA_SERVER > set vpn vserver ICA1 -authnProfile gatewayauth
ICA1 is the NetScaler gateway virtual server name
Using the preceding steps you can prompt 2 passwords using the browser but process the second password first.
Configuration through Visualizer
1. Go To Security > AAA-Application Traffic > nFactor Visualizer > nFactor Flow and click on Add
2. Click on the + sign to add the nFactor Flow
3. Add Factor, this will be the name of the nFactor Flow
4. No Schema is needed in this factor, as we will be checking if the user needs to register or get authenticated.
5. Click Add Policy to add an authentication Policy with action NO_AUTHN. In Expression type "HTTP.REQ.COOKIE.VALUE("NSC_TASS").EQ("manageotp")"
6. Bind the policy created above and click on Add
7. Click on blue + sign to add another policy for the dual authentication if users are already registered
8. Create another Authentication Policy with Action Type NO_AUTHN
9. Click on green + sign next to the Manage_OTP_Check to create the next factor to get the users registered
10. Select the Create Factor radio button and type in a name for this factor in Factor Name
11. Click on Add Schema and choose the schema for registering devices. This schema can be created by following step 2 of CLI configuration
12. Click on Add Policy and Choose the authentication policy to manage the device. This Authentication Policy can be created by the command in step 4 b of CLI configuration
13. Click on green + sign next to manage_OTP to add another factor for verification of OTP once device is added
14. Click on Select Factor and type in a name for the factor in Factor Name
15, No Schema is needed for this factor. Click on Add Policy to select a policy for OTP Authentication and click on Add
16. To create a factor for dual authentication, click on green + sign next to Dual_Auth_Check in first factor
17. Select Create Factor to add another factor for dual authentication
18. Click on Add Schema to choose a schema for dual authentication. This schema can be added by command given in step 3 of CLI Configuration
19. Click on Add Policy to add the authentication policy to verify OTP before LDAP Authentication
20. Click on green + sign to add another factor for the delayed LDAP Authentication
21. Select the Create Factor and type in the Factor Name
22. Only Policy will be added in this factor. Click on Add Policy to add LDAP Authentication Policy
23. Click on Done and this will will automatically save the configuration.
24. Select the nFactor Flow just created and bind it to a AAA Virtual Server by clicking on Bind to Authentication Server and then Create
NOTE: Bind and Unbind the nFactor Flow through the option given in nFactor Flow under Show Bindings only.
To unbind the nFactor Flow:
1. Select the nFactor Flow and Click on Show Bindings
2. Select the Authentication VServer and Click Unbind
Issue/Introduction
Additional Information
Synopsys
add authentication loginSchema <name> -authenticationSchema <string> [-userExpression <string>] [-passwdExpression <string>] [-userCredentialIndex <positive_integer>] [-passwordCredentialIndex <positive_integer>] [-authenticationStrength <positive_integer>]
Arguments
name
Name for the new login schema. Must begin with an ASCII alphanumeric or underscore (_) character, and must contain only ASCII alphanumeric, underscore, hash (#), period (.), space, colon (:), at (@), equals (=), and hyphen (-) characters. Cannot be changed after an action is created.
The following requirement applies only to the NetScaler CLI:
If the name includes one or more spaces, enclose the name in double or single quotation marks (for example, "my action" or 'my action').
authenticationSchema
Name of the file for reading authentication schema to be sent for Login Page UI. This file should contain xml definition of elements as per Citrix Forms Authentication Protocol to be able to render login form. If administrator does not want to prompt users for additional credentials but continue with previously obtained credentials, then "noschema" can be given as argument. Please note that this applies only to loginSchemas that are used with user-defined factors, and not the vserver factor.
userExpression
Expression for username extraction during login
passwdExpression
Expression for password extraction during login
userCredentialIndex
The index at which user entered username should be stored in session.
Minimum value: 1
Maximum value: 16
passwordCredentialIndex
The index at which user entered password should be stored in session.
Minimum value: 1
Maximum value: 16
authenticationStrength
Weight of the current authentication
Minimum value: 0
Maximum value: 65535
Output From aaad.debug
We can see here that the radius verification happens before ldap regardless of the order at the login page.
root@ns# cat aaad.debug /home/build/rs_120_53_3_RTM/usr.src/netscaler/aaad/naaad.c[1082]: process_kernel_socket 0-64: call to authenticate user :administrator, vsid :10366, req_flags 2 Wed Nov 1 16:35:35 2017 /home/build/rs_120_53_3_RTM/usr.src/netscaler/aaad/naaad.c[3820]: start_cascade_auth 0-64: starting cascade authentication Wed Nov 1 16:35:35 2017 /home/build/rs_120_53_3_RTM/usr.src/netscaler/aaad/radius_drv.c[772]: continue_radius_auth 0-64: RADIUS auth: Starting RADIUS authentication for user administrator @ 10.107.141.174 /home/build/rs_120_53_3_RTM/usr.src/netscaler/aaad/radius_drv.c[2116]: process_radius 0-64: RADIUS auth: RADIUS authentication successful for user: administrator from server 10.107.141.174 Wed Nov 1 16:35:35 2017 /home/build/rs_120_53_3_RTM/usr.src/netscaler/aaad/radius_drv.c[2118]: process_radius 0-64: extracted group string :(null) Wed Nov 1 16:35:35 2017 /home/build/rs_120_53_3_RTM/usr.src/netscaler/aaad/naaad.c[2969]: send_accept 0-64: sending accept to kernel for : administrator Wed Nov 1 16:35:35 2017 /home/build/rs_120_53_3_RTM/usr.src/netscaler/aaad/naaad.c[845]: process_kernel_socket 0-65: partition id is 0 Wed Nov 1 16:35:35 2017 /home/build/rs_120_53_3_RTM/usr.src/netscaler/aaad/naaad.c[1082]: process_kernel_socket 0-65: call to authenticate user :administrator, vsid :10746, req_flags 2 Wed Nov 1 16:35:35 2017 /home/build/rs_120_53_3_RTM/usr.src/netscaler/aaad/naaad.c[3820]: start_cascade_auth 0-65: starting cascade authentication Wed Nov 1 16:35:35 2017 /home/build/rs_120_53_3_RTM/usr.src/netscaler/aaad/ldap_drv.c[107]: start_ldap_auth 0-65: Starting LDAP auth Wed Nov 1 16:35:35 2017 /home/build/rs_120_53_3_RTM/usr.src/netscaler/aaad/ldap_drv.c[131]: start_ldap_auth 0-65: attempting to do ldap auth for administrator @ 10.107.141.167 Wed Nov 1 16:35:35 2017 /home/build/rs_120_53_3_RTM/usr.src/netscaler/aaad/ldap_drv.c[133]: start_ldap_auth 0-65: LDAP referrals are OFF receive_ldap_user_bind_event 0-65: User authentication (Bind event) for user administrator succeeded Wed Nov 1 16:35:35 2017 /home/build/rs_120_53_3_RTM/usr.src/netscaler/aaad/naaad.c[2969]: send_accept 0-65: sending accept to kernel for : administrator Wed Nov 1 16:35:37 2017
