Citrix NetScaler Gateway: Enabling 2 factor authentication.
I currently have a Citrix NetScaler VPX 200 and I would like to enable 2 factor authentication. I'm new to setting up 2FA and any advice would greatly be appreciated.
The goal is to have the user sign into the Netscaler web portal and authenticate with their domain (LDAP) credentials. Upon successful login, the user is required to enter a passcode/one time password that they would receive from an SMS message or ideally a code using an authenticator app (Microsoft or Google authentication app for example.) Once the user enters the one time password, the user can access the VPN or ICA portal.
When researching what is evolved to enable this, it looks like a RADIUS server is required. I do have a Windows Server 2016 RADIUS server, but it doesn't seem to support what I'm looking for, unless Microsoft's terminology is different. I've opened a case with Citrix, but the only thing provide is links to setup RADIUS on the gateway, which I already found before opening the case.
Has anyone been able to accomplish this? Thank you for your time.
The goal is to have the user sign into the Netscaler web portal and authenticate with their domain (LDAP) credentials. Upon successful login, the user is required to enter a passcode/one time password that they would receive from an SMS message or ideally a code using an authenticator app (Microsoft or Google authentication app for example.) Once the user enters the one time password, the user can access the VPN or ICA portal.
When researching what is evolved to enable this, it looks like a RADIUS server is required. I do have a Windows Server 2016 RADIUS server, but it doesn't seem to support what I'm looking for, unless Microsoft's terminology is different. I've opened a case with Citrix, but the only thing provide is links to setup RADIUS on the gateway, which I already found before opening the case.
Has anyone been able to accomplish this? Thank you for your time.
Have seen that the request to authorize sends username while when sending password appends the 2fa code to the password.
username:password123456
with 123456 as he SMS code received.
nit this is handled on the netscaler
presumably you have a prompt for username/password
then a prompt for the code.
See if the following is helpful.
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension
Yes, it is not the setup that you have, but this one adds/integrates the Microsoft Authenticator into NPS/RADIUS
Do you have a lab/test environment?
point being the gateway will not allow user access until the access-accept is received
username:password123456
with 123456 as he SMS code received.
nit this is handled on the netscaler
presumably you have a prompt for username/password
then a prompt for the code.
See if the following is helpful.
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension
Yes, it is not the setup that you have, but this one adds/integrates the Microsoft Authenticator into NPS/RADIUS
Do you have a lab/test environment?
point being the gateway will not allow user access until the access-accept is received
While I personally have used RSA and Duo RADIUS servers, you should be able to configure 2FA with any RADIUS server for use with NetScaler.
Here are step-by-step instructions on how to set up the NetScaler for RADIUS:
https://www.carlstalhood.com/netscaler-gateway-12-radius-authentication/
The specific steps for setting up RADIUS itself depends on the RADIUS server selected.
You should set up RADIUS client entries for each NetScaler HA node as well as for the common SNIP.
Here are step-by-step instructions on how to set up the NetScaler for RADIUS:
https://www.carlstalhood.com/netscaler-gateway-12-radius-authentication/
The specific steps for setting up RADIUS itself depends on the RADIUS server selected.
You should set up RADIUS client entries for each NetScaler HA node as well as for the common SNIP.
Not the solution you were looking for? Getting a personalized solution is easy.
Ask the Experts
Most 2FA solutions work as a plug-in for the MS-Radius (NPS) or bring their own Radius server.
You can use ldap and radius (with 2FA) together/one after the other ... or radius only - without LDAP.
All radius-based solutions known to me only check the second factor after the name and password have been correctly transmitted. Then there is no need for separate LDAP authentication. (except if you want to work with LDAP groups)
I mostly use SMS passcode.
This has various authentication options (not just SMS)
You can use ldap and radius (with 2FA) together/one after the other ... or radius only - without LDAP.
All radius-based solutions known to me only check the second factor after the name and password have been correctly transmitted. Then there is no need for separate LDAP authentication. (except if you want to work with LDAP groups)
I mostly use SMS passcode.
This has various authentication options (not just SMS)
Thank you for your recommendations. Unfortunately, I only have the production instance and no test environment available. Seems an SMS solution maybe the best choice. Citrix also provides an nFactor feature that may enable authenticator apps, but this requires the Premium or Enterprise version of ADC.
How does the netscaler currently validate users?
Look at setting up NPS that could deal with MFA of various sorts.
IMHO, in such a a situation I would be testing on something that does not production.
If you currently do not use radius, setting that up ad testing and validating that it works..
Then extending out on whether the netscaler can be extended to MFA capability but will be enforced on a user by user basis such that you can have a test user with MFA enabled....
In this stage you would have to see whether you can add radius as the last.
currently you may have internal to netscaler auth, "localuser" ldap,/ad auth/sso and .....radius...
Check with citrix if they have a new setup Virtual ENV that can be used as a testing platform...
Look at setting up NPS that could deal with MFA of various sorts.
IMHO, in such a a situation I would be testing on something that does not production.
If you currently do not use radius, setting that up ad testing and validating that it works..
Then extending out on whether the netscaler can be extended to MFA capability but will be enforced on a user by user basis such that you can have a test user with MFA enabled....
In this stage you would have to see whether you can add radius as the last.
currently you may have internal to netscaler auth, "localuser" ldap,/ad auth/sso and .....radius...
Check with citrix if they have a new setup Virtual ENV that can be used as a testing platform...
We currently use LDAP (Required Security Group) for authentication. I'll research what my options are for setting up a test environment.
It might be simpler, Simon might be better in tune.
Verify the user is authorized.
Generate SMS, prompt for code.
Not sure how the netscalar deals with SMS it generates the code to the phone on the indiviudals LDAp record and then waits for input.
Potentially based on your version, it does not need radius to finalize the process.
You may want to reach out to Cisco and set the parameters of your question to exactly what you have and what you want.
I.e. setup LDAP authenticated Netscaler version limited to SMS as 2FA.
Which process generates the SMS with the code? and What module within Netscaler Validates it.
Verify the user is authorized.
Generate SMS, prompt for code.
Not sure how the netscalar deals with SMS it generates the code to the phone on the indiviudals LDAp record and then waits for input.
Potentially based on your version, it does not need radius to finalize the process.
You may want to reach out to Cisco and set the parameters of your question to exactly what you have and what you want.
I.e. setup LDAP authenticated Netscaler version limited to SMS as 2FA.
Which process generates the SMS with the code? and What module within Netscaler Validates it.
As i know NS only provide softtoken (OTP-APP) based 2FA.
So no SMS is send by NS. NS maintains the user based data within AD ... therefore requires write access.
I would use a second VServer at the NS for testing.
So no SMS is send by NS. NS maintains the user based data within AD ... therefore requires write access.
I would use a second VServer at the NS for testing.
I highly recommend Duo - very easy to set up.
Free for up to 10 users, and $3/mo per user above that.
NS OTP/nFactor can get pretty complicated.
Free for up to 10 users, and $3/mo per user above that.
NS OTP/nFactor can get pretty complicated.
Thank you for the recommendations. I'm working on spinning up a test environment. If all goes well. I'll try to document what I've done.
If you're thinking of using Duo, this might prove helpful:
Configuring Duo Integration With NetScaler
Configuring Duo Integration With NetScaler
Thanks for using Experts Exchange.
Create a free account to continue.
Limited access with a free account allows you to:
- View three pieces of content (articles, solutions, posts, and videos)
- Ask the experts questions (counted toward content limit)
- Customize your dashboard and profile
*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.