How to Implement OpenOTP Dual Factor Authentication Server for Access Gateway Enterprise Edition Appliance

How to Implement OpenOTP Dual Factor Authentication Server for Access Gateway Enterprise Edition Appliance

book

Article ID: CTX132808

calendar_today

Updated On:

Description

This article describes an open source dual factor authentication implementation of Access Gateway Enterprise Edition appliance by using OpenOTP. OpenOTP has free license for 25 users.

Requirements

  • OpenOTP Virtual Machine

  • VMware or Virtualbox

  • Android, iPhone, or Blackberry with Google Authenticator Soft token

  • Domain Administrator account to extend the Active Directory Schema and match tokens with usernames

Instructions

To implement OpenOTP dual factor authentication server for Access Gateway Enterprise Edition appliance, complete the following procedure:

  1. Download the .OVF appliance and install guide from http://rcdevs.com/downloads/index.php

  2. Extract and deploy the .OVF file.
    Note: The memory can be lowered to 512 MB or 256 MB and one CPU is sufficient.

  3. Start the virtual machine.

  4. After initial boot process, on the console enter the Fully Qualified Domain Name (FQDN) of the appliance and company name. It gets an IP address from DHCP and displays the SSH account and URL of the administrator portal.

  5. The /opt/webadm/conf/servers.xml file to provide Active Directory LDAP Server address:

    <LdapServer name="LDAP Server"
host="192.168.1.10"
port="636"
encryption="SSL"
cert_file=""
key_file="" />

<MailServer name="SMTP Server"
host="192.168.1.11"
port="25"
user=""
password=""
encryption="NONE" />

  6. Edit the /opt/webadm/webadm.conf file to configure LDAP access:

    proxy_user "CN=Administrator,CN=Users,DC=ardadom4,DC=net"
proxy_password "password"
super_admins "cn=Administrator,cn=Users,dc=ardadom4,dc=net"

  7. With Active Directory installed on Servers earlier than Windows 2008, add user to the webadm_account_oclasses.
    webadm_account_oclasses "webadmAccount","user"

  8. Use the docs/timezones.txt file for the list of time zones.
    time_zone "America/New_York"

  9. Edit the /opt/radiusd/conf/clients.conf file and create an object for the NetScaler IP address:
    client 192.168.1.20 {
    secret = testing123
    shortname = any
    }

  10. Run the following command to restart the webadm service:
    /etc/init.d/webadm restart

  11. Open a Web browser and open https://serverip. Log on with the proxy account.

  12. Follow the initial setup Wizard to extend the Active Directory schema. After you get logged out and log in again with the regular Active Directory administrator account.

  13. Click Applications > OTP Authentication Server > CONFIGURE.

  14. In the Authentication Settings section, select Login Mode as OTP.

  15. Select OTP Type as TOKEN.

    User-added image

  1. Click Apply at the bottom of the page.

  2. Install the Google Authenticator App on the mobile device.

  3. Select a username on the OTP server Graphical User Interface (GUI).

  4. Click the OTP Authentication Server(X Actions) link, as shown in the following screen shot:

    User-added image

  1. Select Register > Unregister Token.

  2. Select Google Authenticator > Time Based. A QR code appears.

  3. Open the Google application and take a screen shot of the QR.

  4. The application imports the private key and displays your one time password.

    User-added image

    User-added image

  5. You can now log on to Access Gateway Enterprise Edition appliance and configure a Radius server profile using the OpenOTP server IP address, port 1812 and the secret testing123.

Issue/Introduction

This article describes an open source dual factor authentication implementation of Access Gateway Enterprise Edition appliance by using OpenOTP. OpenOTP has free license for 25 users

Additional Information

  1. RADIUS authentication policies  (Citrix ADC, NetScaler 12.0)
  2. RADIUS authentication policies  (Citrix ADC 12.1)
Powered by Wolken Software