Citrix Gateway Native OTP not working with Citrix IOS Workspace Client

Citrix Gateway Native OTP not working with Citrix IOS Workspace Client

book

Article ID: CTX269642

calendar_today

Updated On:

Description

1. Native OTP configuration done as per 
https://docs.citrix.com/en-us/netscaler-gateway/12/native-otp-support.html

2. Android / Windows Workspace Clients and Browser work (able to authenticate, enumerate and launch APPs)

3. IOS Workspace Client is unable to authenticate, if user enters the password and passcode in reverse order Gateway authentication is successful but user but SSO to storefront fails, user has to enter credentials again to be able to enumerate and launch APPs

Resolution

Nfactor support is planned for future releases of IOS Workspace. Meanwhile,by altering the configuration slightly on the AAA Vserver on Citrix Gateway i.e. for IOS Workspace clients - evaluate the passcode (OTP) first then followed by LDAP Credentials, we can solve this issue. Please follow the steps below from GUI.

Pre-Requisites:

1. Native OTP should be configured and working (i.e. Tested via Browser / Citrix Workspace for Windows / Citrix Workspace for Android)
https://docs.citrix.com/en-us/netscaler-gateway/12/native-otp-support.html

2. identify the AAA Vserver used for Native OTP
If you followed the above configuration example: this it would be "authvs"

3. Identify the policy for LDAP Auth - this is the one bound to the LDAP Action with Authentication Enabled (Note - Authentication is enabled by default)
If you followed the above configuration example: this it would be "auth_pol_ldap_logon"

4. Identify the ldap action for OTP Verify  - this is the ldap action with Auth Disabled 
If you followed the above configuration example: this it would be "ldap_otp_action"

5. Identify the Gateway Session policy and profile for Receivers ensure the plugin-type is set to "Java"

Configuration:

Section1: Create a policy for OTP Verification for IOS Workspace Clients (Factor1)
  • Navigate to: Security ==>AAA - Application Traffic==>Policies==>Authentication==>Advanced Policies==>Authentication Policies     ==> ADD
  • Name: IOS_WORKSPACE_Factor1
  • Action Type: LDAP
  • Action: ldap_otp_action (as noted in  
  • Expression: HTTP.REQ.HEADER("User-Agent").CONTAINS("CitrixReceiver") && HTTP.REQ.HEADER("User-Agent").CONTAINS("IOS")
  • Click OK

Section2: Create a policy label for LDAP Credential Verification (Factor2)
  • Navigate to: Security ==>AAA - Application Traffic==>Policies==>Authentication==>Advanced Policies==>Authentication Policy Labels ==> ADD
Name: Plabel_LDAP_AUTH
Schema: "LSCHEMA_INT", 
  • Click on Continue
  • In the policy binding section Click on "Click to Select" and from the list select the policy for LDAP Auth (in this case "auth_pol_ldap_logon", as noted in  #3 in prerequisites)
  • Click on Bind

Section3: Bind Factor1 with next Factor as Factor2 on AAA Vserver
 
  • Navigate to: Security ==> AAA - Application Traffic ==> Authentication Virtual Servers
  • Select the auth vserver (in this case "authvs") and hit EDIT
  • Click on "Authentication Policy", this will bring up the list of Authentication policies bound to the AAA Vserver, make a note of the lowest priority no
  • Click on ADD Binding 
Click on the "Select Policy Section", and from the list select the policy created in Section1 i.e. IOS_WORKSPACE_Factor1
Set Priority to a lower no than then lowest priority number noted above
Set Goto Expression to "END"
Click on the "Select Next Factor" option, and from the list select the policy label created in Section2 i.e. "Plabel_LDAP_AUTH"
  • Click Bind. 
  • Close the AuthPolicy list and hit Done 

 

Problem Cause

IOS Workspace Client do not support nfactor as of publishing this article. It therefore demonstrate a known Workspace / Receiver behavior of sending password and passcode in reverse order, the nfactor flow therefore fails as it ends up sending the passcode to LDAP (first factor) not the password.