Avatar of Domenic DiPasquale
Domenic DiPasquale
Flag for United States of America asked on

Citrix NetScaler Gateway: Enabling 2 factor authentication.

I currently have a Citrix NetScaler VPX 200 and I would like to enable 2 factor authentication. I'm new to setting up 2FA and any advice would greatly be appreciated.

The goal is to have the user sign into the Netscaler web portal and authenticate with their domain (LDAP) credentials. Upon successful login, the user is required to enter a passcode/one time password that they would receive from an SMS message or ideally a code using an authenticator app (Microsoft or Google authentication app for example.) Once the user enters the one time password, the user can access the VPN or ICA portal.

When researching what is evolved to enable this, it looks like a RADIUS server is required. I do have a Windows Server 2016 RADIUS server, but it doesn't seem to support what I'm looking for, unless Microsoft's terminology is different. I've opened a case with Citrix, but the only thing provide is links to setup RADIUS on the gateway, which I already found before opening the case.

Has anyone been able to accomplish this? Thank you for your time.
CitrixNetScalerGoogleAzureMicrosoft Server OS

Avatar of undefined
Last Comment
Sam Jacobs

8/22/2022 - Mon
arnold

Have seen that the request to authorize sends username while when sending password appends the 2fa code to the password.
username:password123456
with 123456 as he SMS code received.
nit this is handled on the netscaler
presumably you have a prompt for username/password
then a prompt for the code.

See if the following is helpful.
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension

Yes, it is not the setup that you have, but this one adds/integrates the Microsoft Authenticator into NPS/RADIUS

Do you have a lab/test environment?
point being the gateway will not allow user access until the access-accept is received
ASKER CERTIFIED SOLUTION
Sam Jacobs

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
Dirk Kotte

Most 2FA solutions work as a plug-in for the MS-Radius (NPS) or bring their own Radius server.
You can use ldap and radius (with 2FA) together/one after the other ... or radius only - without LDAP.
All radius-based solutions known to me only check the second factor after the name and password have been correctly transmitted. Then there is no need for separate LDAP authentication. (except if you want to work with LDAP groups)
I mostly use SMS passcode.
This has various authentication options (not just SMS)





Domenic DiPasquale

ASKER
Thank you for your recommendations. Unfortunately, I only have the production instance and no test environment available. Seems an SMS solution maybe the best choice. Citrix also provides an nFactor feature that may enable authenticator apps, but this requires the Premium or Enterprise version of ADC.
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck
arnold

How does the netscaler currently validate users?
Look at setting up NPS that could deal with MFA of various sorts.

IMHO, in such a a situation I would be testing on something that does not production.
If you currently do not use radius, setting that up ad testing and validating that it works..

Then extending out on whether the netscaler can be extended to MFA capability but will be enforced on a user by user basis such that you can have a test user with MFA enabled....
In this stage you would have to see whether you can add radius as the last.
currently you may have internal to netscaler auth, "localuser" ldap,/ad auth/sso and .....radius...

Check with citrix if they have a new setup Virtual ENV that can be used as a testing platform...
Domenic DiPasquale

ASKER
We currently use LDAP (Required Security Group) for authentication. I'll research what my options are for setting up a test environment.
arnold

It might be simpler, Simon might be better in tune.
Verify the user is authorized.
Generate SMS, prompt for code.
Not sure how the netscalar deals with SMS it generates the code to the phone on the indiviudals LDAp record and then waits for input.
Potentially based on your version, it does not need radius to finalize the process.


You may want to reach out to Cisco and set the parameters of your question to exactly what you have and what you want.

I.e. setup LDAP authenticated Netscaler version limited to SMS as 2FA.
Which process generates the SMS with the code? and What module within Netscaler Validates it.
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
Dirk Kotte

As i know NS only provide softtoken (OTP-APP) based 2FA.
So no SMS is send by NS. NS maintains the user based data within AD ... therefore requires write access.

I would use a second VServer at the NS for testing.

Sam Jacobs

I highly recommend Duo - very easy to set up.
Free for up to 10 users, and $3/mo per user above that.
NS OTP/nFactor can get pretty complicated.
Domenic DiPasquale

ASKER
Thank you for the recommendations. I'm working on spinning up a test environment. If all goes well. I'll try to document what I've done.
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes
Sam Jacobs

If you're thinking of using Duo, this might prove helpful:
Configuring Duo Integration With NetScaler