Link to home
Start Free TrialLog in
Avatar of Domenic DiPasquale
Domenic DiPasqualeFlag for United States of America

asked on

Citrix NetScaler Gateway: Enabling 2 factor authentication.

I currently have a Citrix NetScaler VPX 200 and I would like to enable 2 factor authentication. I'm new to setting up 2FA and any advice would greatly be appreciated.

The goal is to have the user sign into the Netscaler web portal and authenticate with their domain (LDAP) credentials. Upon successful login, the user is required to enter a passcode/one time password that they would receive from an SMS message or ideally a code using an authenticator app (Microsoft or Google authentication app for example.) Once the user enters the one time password, the user can access the VPN or ICA portal.

When researching what is evolved to enable this, it looks like a RADIUS server is required. I do have a Windows Server 2016 RADIUS server, but it doesn't seem to support what I'm looking for, unless Microsoft's terminology is different. I've opened a case with Citrix, but the only thing provide is links to setup RADIUS on the gateway, which I already found before opening the case.

Has anyone been able to accomplish this? Thank you for your time.
Avatar of arnold
arnold
Flag of United States of America image

Have seen that the request to authorize sends username while when sending password appends the 2fa code to the password.
username:password123456
with 123456 as he SMS code received.
nit this is handled on the netscaler
presumably you have a prompt for username/password
then a prompt for the code.

See if the following is helpful.
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension

Yes, it is not the setup that you have, but this one adds/integrates the Microsoft Authenticator into NPS/RADIUS

Do you have a lab/test environment?
point being the gateway will not allow user access until the access-accept is received
ASKER CERTIFIED SOLUTION
Avatar of Sam Jacobs
Sam Jacobs
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Most 2FA solutions work as a plug-in for the MS-Radius (NPS) or bring their own Radius server.
You can use ldap and radius (with 2FA) together/one after the other ... or radius only - without LDAP.
All radius-based solutions known to me only check the second factor after the name and password have been correctly transmitted. Then there is no need for separate LDAP authentication. (except if you want to work with LDAP groups)
I mostly use SMS passcode.
This has various authentication options (not just SMS)





Avatar of Domenic DiPasquale

ASKER

Thank you for your recommendations. Unfortunately, I only have the production instance and no test environment available. Seems an SMS solution maybe the best choice. Citrix also provides an nFactor feature that may enable authenticator apps, but this requires the Premium or Enterprise version of ADC.
How does the netscaler currently validate users?
Look at setting up NPS that could deal with MFA of various sorts.

IMHO, in such a a situation I would be testing on something that does not production.
If you currently do not use radius, setting that up ad testing and validating that it works..

Then extending out on whether the netscaler can be extended to MFA capability but will be enforced on a user by user basis such that you can have a test user with MFA enabled....
In this stage you would have to see whether you can add radius as the last.
currently you may have internal to netscaler auth, "localuser" ldap,/ad auth/sso and .....radius...

Check with citrix if they have a new setup Virtual ENV that can be used as a testing platform...
We currently use LDAP (Required Security Group) for authentication. I'll research what my options are for setting up a test environment.
It might be simpler, Simon might be better in tune.
Verify the user is authorized.
Generate SMS, prompt for code.
Not sure how the netscalar deals with SMS it generates the code to the phone on the indiviudals LDAp record and then waits for input.
Potentially based on your version, it does not need radius to finalize the process.


You may want to reach out to Cisco and set the parameters of your question to exactly what you have and what you want.

I.e. setup LDAP authenticated Netscaler version limited to SMS as 2FA.
Which process generates the SMS with the code? and What module within Netscaler Validates it.
As i know NS only provide softtoken (OTP-APP) based 2FA.
So no SMS is send by NS. NS maintains the user based data within AD ... therefore requires write access.

I would use a second VServer at the NS for testing.

I highly recommend Duo - very easy to set up.
Free for up to 10 users, and $3/mo per user above that.
NS OTP/nFactor can get pretty complicated.
Thank you for the recommendations. I'm working on spinning up a test environment. If all goes well. I'll try to document what I've done.
If you're thinking of using Duo, this might prove helpful:
Configuring Duo Integration With NetScaler