How To: Nitro API Authentication for RADIUS Access-Challenge Response

book

Article ID: CTX691854

calendar_today

Updated On:

Description

When NITRO API is used to manage or get information from a NetScaler, a session must be authenticated first. Depending on the authentication factors configured for NetScaler Management, different NITRO API resources should be used. If one of the authentication factors used, responds with a challenge a specific NITRO API resource should be used.

We will review the configuration for two scenarios:

  • LDAP + RADIUS
  • LDAP + RADIUS (with Access-Challenge)

Instructions

LDAP + RADIUS authentication process with NITRO API:

1st-Factor Authentication Request:

curl -L 'https://[NSIP]/nitro/v1/config/login' -H 'Content-Type: application/json' -d '{
  "login": {
    "username": "[username]",
    "password": "[password]"
  }
}'


The NetScaler will send a 599 HTTP response similar to the below:

{
    "errorcode": 3816,
    "message": "Nextfactor Login [onlypassword_password]",
    "severity": "ERROR",
    "sessionid": "[sessionID sent by NetScaler for 1st factor authentication]"
}

2nd-Factor Authentication Request:

curl -L 'https://[NSIP]/nitro/v1/config/loginnextfactorresponse' -H 'Content-Type: application/json' -H 'Cookie: sessionid=[sessionID sent by NetScaler for 1st factor authentication]' -d '{
  "loginnextfactorresponse": {
    "nextfactorpassword": "[2nd factor password]"
  }
}'


The NetScaler will respond with a 201 response similar to the below:

{
    "errorcode": 0,
    "message": "Done",
    "severity": "NONE",
    "sessionid": "[sessionID for this authentication API session]"
}

 

LDAP + RADIUS authentication process with NITRO API when RADIUS server responds with an Access-Challenge:

1st-Factor Authentication Request:

curl -L 'https://[NSIP]/nitro/v1/config/login' -H 'Content-Type: application/json' -d '{
  "login": {
    "username": "[username]",
    "password": "[password]"
  }
}'


The NetScaler will send a 599 HTTP response similar to the below:

{
    "errorcode": 1034,
    "message": "Login challenged [Challenge text sent by RADIUS server, such as Enter a response from your token]",
    "severity": "ERROR",
    "sessionid": "[sessionID sent by NetScaler for 1st factor authentication]"
}

2nd-Factor Authentication Request:

curl -L 'https://[NSIP]/nitro/v1/config/loginchallengeresponse' -H 'Content-Type: application/json' -H 'Cookie: sessionid=[sessionID sent by NetScaler for 1st factor authentication]' -d '{
  "loginchallengeresponse": {
    "challengepassword": "[2nd factor password]"
  }
}'


The NetScaler will respond with a 201 response similar to the below:

{
    "errorcode": 0,
    "message": "Done",
    "severity": "NONE",
    "sessionid": "[sessionID for this authentication API session]"
}

Issue/Introduction

When NITRO API is used to manage or get information from a NetScaler, a session must be authenticated first. Depending on the authentication factors configured for NetScaler Management, different NITRO API resources should be used. If one of the authentication factors used, responds with a challenge a specific NITRO API resource should be used.

Additional Information

Performing Basic Citrix ADC Operations | Citrix ADC 14.1 NITRO API Reference (netscaler.com)

Powered by Wolken Software