Users get multiple OTP Push Notifications, Radius servers see multiple Auth requests & Auth Failures
Article ID: CTX223878
Updated On:
Description
Users will receive authentication denials, may receive multiple Push Notifications, Radius servers will log multiple simultaneous authentication requests for the same user with different Radius IDs, or user One Time Password tokens will become locked out.
If you review traces, you will see multiple Radius requests for the same user with different IDs.
Resolution
Solution for Known Cause 1
For the LDAP over SSL issue, this has been fixed in 11.1 build 41.1 and newer. For other versions, to workaround this, you can setup Load Balancing Vserver on the Netscaler that are of type SSL-TCP with Services also using SSL-TCP on port 636. Use this to load balance the backend LDAP (even if you only have 1 LDAP server). The reason this works is that Netscaler terminates the AAAd SSL handshake on the LB Vserver, so it takes very little time to complete.
Additional steps for Known Cause 1:
Finally, to prevent the login button from being clicked multiple times, you can customize the Gateway Login page and modify the Logon button code to your liking using JavaScript to disable it when it's clicked. Please note Citrix does not support customizations and this will be up to the customer's team to implement and test, however an example process to modify NetScaler 11.1 to disable the Login button after a click is provided below for you to review:
Example to disable the GUI Login button after clicking it once for Netscaler 11.1
1 - Make a backup of the file /var/netscaler/gui/vpn/login.js using this command:
4 - Before the last line of that function which is "return true;", add the following lines:
Known cause 1)
There is an issue with LDAP over SSL that causes the handshake for LDAP over SSL to be a Blocking call for the AAA process. This means that the AAA system can no longer process ANY requests for ANY user until the SSL Handshake with LDAP completes. This can lead to authentication delays, which can cause a user to be able to repeatedly click the Login button. NetScaler 11.1 Build 41.1 and newer have this fixed. There are plans to back-port the fix to 11.0 but no ETA as of May 2017.
Known cause 2)
If a Radius server delays in responding to an authentication request, there will be a delay at the login page which allows the user to click the Login button multiple times.
Known cause 3)
In 11.1, there is a Bug with AppFlow that results in closing the AAAd connection and eventually also the client side connection. Due to abrupt closure, the WebUI resends the post again. This counter confirm this: aaa_force_drop_data, aaa_tot_term_link
Note that you may also experience crashes or login stuck at cgi/login blank page from this bug.
For the LDAP over SSL issue, this has been fixed in 11.1 build 41.1 and newer. For other versions, to workaround this, you can setup Load Balancing Vserver on the Netscaler that are of type SSL-TCP with Services also using SSL-TCP on port 636. Use this to load balance the backend LDAP (even if you only have 1 LDAP server). The reason this works is that Netscaler terminates the AAAd SSL handshake on the LB Vserver, so it takes very little time to complete.
Additional steps for Known Cause 1:
Finally, to prevent the login button from being clicked multiple times, you can customize the Gateway Login page and modify the Logon button code to your liking using JavaScript to disable it when it's clicked. Please note Citrix does not support customizations and this will be up to the customer's team to implement and test, however an example process to modify NetScaler 11.1 to disable the Login button after a click is provided below for you to review:
Example to disable the GUI Login button after clicking it once for Netscaler 11.1
1 - Make a backup of the file /var/netscaler/gui/vpn/login.js using this command:
cp /var/netscaler/gui/vpn/login.js /var/netscaler/gui/vpn/login-bkup.js
2 - Edit this file using vi on the Netscaler: /var/netscaler/gui/vpn/login.js
vi /var/netscaler/gui/vpn/login.js
3 - Find this function in the Javascript: "function ns_check(event)".4 - Before the last line of that function which is "return true;", add the following lines:
//START Modification to disable Login button after first click
var btn = document.getElementById("Log_On");
btn.disabled = true;
//END Modification
var btn = document.getElementById("Log_On");
btn.disabled = true;
//END Modification
5 - Your function should now look like the below. If it does, save the file and exit vi.
function ns_check(event)
{
var login = document.forms['vpnForm'].login.value;
var passwd = document.forms['vpnForm'].passwd.value;
if(login == "") {
window.alert(_("You need to enter login name"));
event.preventDefault();
return;
}
if (passwd == "") {
window.alert(_("You need to enter passwd"));
event.preventDefault();
return;
}
//START Modification to disable Login button after first click
var btn = document.getElementById("Log_On");
btn.disabled = true;
//END Modification
return true;
}
{
var login = document.forms['vpnForm'].login.value;
var passwd = document.forms['vpnForm'].passwd.value;
if(login == "") {
window.alert(_("You need to enter login name"));
event.preventDefault();
return;
}
if (passwd == "") {
window.alert(_("You need to enter passwd"));
event.preventDefault();
return;
}
//START Modification to disable Login button after first click
var btn = document.getElementById("Log_On");
btn.disabled = true;
//END Modification
return true;
}
6 - Edit the file /nsconfig/rc.netscaler:
vi /nsconfig/rc.netscaler
7 - Add a new line in the file and put this on the new line:
cp /var/netscaler/gui/vpn/login.js /netscaler/ns_gui/vpn/login.js
8 - Save the file and exit vi.
9 - Restart your Netscaler to confirm the changes take affect. If you cannot reboot right now, instead run this command:
cp /var/netscaler/gui/vpn/login.js /netscaler/ns_gui/vpn/login.js
10 - You may also need to clear your browser's cache. Once done, you should now see the Login button become disabled shortly after clicking it.
Please note Citrix does not provide support for modifications to the NetScaler's GUI pages. The above is provided as an example only.
Solution for Known Cause 2
For the Radius server delay, we recommend implementing additional Radius servers and load balancing them.
Solution for Known Cause 3
For the AppFlow bug, as a workaround you can disable AppFlow. The permanent fix is to upgrade to 11.1.54.x.
Solution for Known Cause 2
For the Radius server delay, we recommend implementing additional Radius servers and load balancing them.
Solution for Known Cause 3
For the AppFlow bug, as a workaround you can disable AppFlow. The permanent fix is to upgrade to 11.1.54.x.
Problem Cause
If there is a delay in processing the user's authentication, which can happen from the two known causes detailed below, then a user can repeatedly press the Login button and cause multiple logins to process. The second and subsequent login requests, when using OTP, will fail due to processing the same token, which causes authentication failures. Also, depending on your OTP policies, this can lockout the user's OTP token and cause further authentication denials. Finally, there is a bug in NetScaler 11.1 that can affect this as well.Known cause 1)
There is an issue with LDAP over SSL that causes the handshake for LDAP over SSL to be a Blocking call for the AAA process. This means that the AAA system can no longer process ANY requests for ANY user until the SSL Handshake with LDAP completes. This can lead to authentication delays, which can cause a user to be able to repeatedly click the Login button. NetScaler 11.1 Build 41.1 and newer have this fixed. There are plans to back-port the fix to 11.0 but no ETA as of May 2017.
Known cause 2)
If a Radius server delays in responding to an authentication request, there will be a delay at the login page which allows the user to click the Login button multiple times.
Known cause 3)
In 11.1, there is a Bug with AppFlow that results in closing the AAAd connection and eventually also the client side connection. Due to abrupt closure, the WebUI resends the post again. This counter confirm this: aaa_force_drop_data, aaa_tot_term_link
Note that you may also experience crashes or login stuck at cgi/login blank page from this bug.
Issue/Introduction
Users receive multiple Push Notifications, Radius servers will log multiple simultaneous authentication requests for the same user with different Radius IDs, or user One Time Password tokens will become locked out due to users experiencing delays logging in and clicking the Login button more than once.
Was this article helpful?
Yes
No
Powered by
