Product Documentation
ADC
Current Release 13.1 13.0 12.1
View PDF

Native OTP support for authentication

September 7, 2023
Contributed by:
H C

Citrix ADC支持一次性密码(otp)out having to use a third-party server. One-time password is a highly secure option for authenticating to secure servers as the number or passcode generated is random. Previously, specialized firms, such as RSA with specific devices that generate random numbers offered the OTPs.

除了降低资本和运营费用nses, this feature enhances the administrator’s control by keeping the entire configuration on the Citrix ADC appliance.

Note:

Because third-party servers are no longer needed, the Citrix ADC administrator has to configure an interface to manage and validate user devices.

User must be registered with a Citrix ADC virtual server to use the OTP solution. Registration is required only once per unique device, and can be restricted to certain environments. Configuring and validation of a registered user is similar to configuring an extra authentication policy.

Advantages of having Native OTP support

  • Reduces operating cost by eliminating the need to have an extra infrastructure on an authenticating server in addition to the Active Directory.
  • Consolidates configuration only to Citrix ADC appliance thus offering great control to administrators.
  • Eliminates the client’s dependence on an extra authentication server for generating a number expected by clients.

Native OTP workflow

The native OTP solution is a two-fold process and the workflow is classified as the following:

  • Device registration
  • End user login

Important:

You can skip the registration process if you are using third-party solutions or managing other devices apart from the Citrix ADC appliance. The final string that you add must be in the Citrix ADC specified format.

The following figure depicts the device registration flow to register a new device to receive OTP.

OTP workflow

Note:The device registration can be done using any number of factors. The single factor (as specified in the previous figure) is used as an example to explain the device registration process.

The following figure depicts the verification of OTP through the registered device.

OTP verification workflow

The following figure depicts the device registration and management flow.

Device registration and management

The following figure depicts the end user flow for the Native OTP feature.

End user workflow

Prerequisites

To use the native OTP feature, make sure that the following prerequisites are met.

  • Citrix ADC feature release version is 12.0 build 51.24 and later.
  • Advanced or Premium edition license is installed on Citrix Gateway.
  • Citrix ADC配置与管理IP和the management console is accessible both using a browser and command line.
  • Citrix ADC is configured with authentication, authorization, and auditing virtual server to authenticate users. For more information, seeAuthentication virtual server
  • Citrix ADC appliance is configured with Unified Gateway and the authentication, authorization, and auditing profile is assigned to the Gateway virtual server.
  • Native OTP solution is restricted to nFactor authentication flow. Advanced policies are required to configure the solution. For more details, seeNative OTP

Also ensure the following for Active Directory:

  • A minimum attribute length of 256 characters.
  • Attribute type must be ‘DirectoryString’ such as UserParameters. These attributes can hold string values.
  • Attribute string type must be Unicode, if device name is in non-English characters.
  • Citrix ADC LDAP administrator must have write access to the selected AD attribute.
  • Citrix ADC appliance and client machine must be synced to a common Network Time Server.

Configure Native OTP using the GUI

The native OTP registration is not just a single factor authentication. The following sections help you to configure the single and second factor authentication.

Create Login Schema for first factor

  1. Navigate toSecurity AAA > Application Traffic > Login Schema.
  2. Go toProfilesand clickAdd.
  3. On theCreate Authentication Login Schemapage, enterlschema_single_auth_manage_otpunder theNamefield and clickEditnext tonoschema.
  4. Click theLoginSchemafolder.
  5. Scroll down to selectSingleAuthManageOTP.xmland clickSelect.
  6. ClickCreate.
  7. ClickPoliciesand ClickAdd.

  8. On theCreate Authentication Login Schema Policyscreen, enter the following values.

    Name:lpol_single_auth_manage_otp_by_url

    Profile:Select lschema_single_auth_manage_otp from the list.

    Rule:HTTP.REQ.COOKIE.VALUE(“NSC_TASS”).EQ(“manageotp”)

Configure authentication, authorization, and auditing virtual server

  1. Navigate toSecurity > AAA – Application Traffic > Authentication Virtual Servers. Click to edit the existing virtual server. For more information, seeAuthentication virtual server

  2. Click the+icon next toLogin SchemasunderAdvanced Settingsin the right pane.
  3. SelectNo Login Schema.
  4. Click the arrow and select thelpol_single_auth_manage_otp_by_urlPolicy, clickSelect, and clickBind.
  5. Scroll up and select1 Authentication PolicyunderAdvanced Authentication Policy.
  6. Right-click thenFactor Policyand selectEdit Binding. Right-click the already configured nFactor Policy or refer tonFactorto create one and select Edit Binding.
  7. Click the arrow underSelect Next Factorto select an existing configuration or clickAddto create a factor.

  8. On theCreate Authentication PolicyLabelscreen, enter the following, and clickContinue:

    Name: manage_otp_flow_label

    Login Schema: Lschema_Int

  9. On theAuthentication PolicyLabelscreen, clickAddto create a Policy.

    Create a policy for a normal LDAP server.

  10. On theCreate Authentication Policyscreen, enter the following:

    Name: auth_pol_ldap_native_otp

  11. Select the Action type asLDAPusing theAction Typelist.

  12. In theActionfield, clickAddto create an action.

    Create the first LDAP action with authentication enabled to be used for single factor.

  13. In theCreate Authentication LDAP serverpage, select theServer IPradio button, clear the checkbox next toAuthentication, enter the following values, and selectTest Connection. The following is a sample configuration.

    Name: ldap_native_otp

    IP Address: 192.168.xx.xx

    Base DN: DC=training, DC=lab

    Administrator: Administrator@training.lab

    Password:xxxxx

    Create a policy for OTP .

  14. On theCreate Authentication Policyscreen, enter the following:

    Name: auth_pol_ldap_otp_action

  15. Select the Action type asLDAPusing theAction Typelist.

  16. In theActionfield, clickAddto create an action.

    Create the second LDAP action to set OTP authenticator with OTP secret configuration and authentication unchecked.

  17. In theCreate Authentication LDAP serverpage, select theServer IPradio button, clear the checkbox next toAuthentication, enter the following values, and selectTest Connection. The following is a sample configuration.

    Name: ldap_otp_action

    IP Address: 192.168.xx.xx

    Base DN: DC=training, DC=lab

    Administrator: Administrator@training.lab

    Password:xxxxx

  18. Scroll down to theOther Settingssection. Use the drop-down menu to select the following options.Server Logon Name AttributeasNewand typeuserprincipalname.
  19. Use the drop-down menu to selectSSO Name AttributeasNewand typeuserprincipalname.
  20. Enter “UserParameters” in theOTP Secretfield and clickMore.

  21. Enter the following Attributes.

    Attribute 1= mailAttribute 2= objectGUIDAttribute 3= immutableID

  22. ClickOK.
  23. On theCreate Authentication Policypage, set the Expression totrueand clickCreate.
  24. On theCreate Authentication Policylabelpage, clickBind, and clickDone.
  25. On thePolicy Bindingpage, clickBind.

  26. On theAuthentication policypage, clickCloseand clickDone.

    创建OTP OTP验证。

  27. On theCreate Authentication Policyscreen, enter the following:

    Name: auth_pol_ldap_otp_verify

  28. Select the Action type asLDAPusing theAction Typelist.

  29. In theActionfield, clickAddto create an action.

    Create the third LDAP action to verify OTP.

  30. In theCreate Authentication LDAP serverpage, select theServer IPradio button, clear the checkbox next toAuthentication, enter the following values, and selectTest Connection. The following is a sample configuration.

    Name: ldap_verify_otp

    IP Address: 192.168.xx.xx

    Base DN: DC=training, DC=lab

    Administrator: Administrator@training.lab

    Password:xxxxx

  31. Scroll down to theOther Settingssection. Use the drop-down menu to select the following options.Server Logon Name AttributeasNewand typeuserprincipalname.
  32. Use the drop-down menu to selectSSO Name AttributeasNewand typeuserprincipalname.
  33. Enter “UserParameters” in theOTP Secretfield and clickMore.

  34. Enter the following Attributes.

    Attribute 1= mailAttribute 2= objectGUIDAttribute 3= immutableID

  35. ClickOK.
  36. On theCreate Authentication Policypage, set the Expression totrueand clickCreate.
  37. On theCreate Authentication Policylabelpage, clickBind, and clickDone.
  38. On thePolicy Bindingpage, clickBind.
  39. On theAuthentication policypage, clickCloseand clickDone.

You probably don’t already have an Advanced Authentication Policy for your normal LDAP server. Change the Action Type to LDAP. Select your normal LDAP server, which is the one that has Authentication enabled. Enter true as the expression. This uses Default Syntax instead of Classic Syntax. Click Create.

Note:

The authentication virtual server must be bound to the RFWebUI portal theme. Bind a server certificate to the server. The server IP ‘1.2.3.5’ must have a corresponding FQDN that is, otpauth.server.com, for later use.

Create login schema for second factor OTP

  1. Navigate toSecurity > AAA-Application Traffic > Virtual Servers. Select the virtual server to be edited.
  2. Scroll down and select1 Login Schema.
  3. ClickAdd Binding.
  4. Under thePolicy Bindingsection, clickAddto add a policy.
  5. On theCreate Authentication Login Schema Policypage, enter a name and clickAdd.
  6. On theCreate Authentication Login Schemapage, enter the name, and click the pencil icon next tonoschema.
  7. Click theLoginSchemafolder, selectDualAuthManageOTP.xml, and then clickSelect.
  8. ClickMoreand scroll down.
  9. In thePassword Credential Indexfield, enter 1. This causes nFactor to save the user’s password into authentication, authorization, and auditing Attribute #1, which can be used later in a traffic policy to single sign-on to StoreFront. If you don’t do this, then Citrix Gateway tries to use the Passcode to authenticate to StoreFront, which does not work.
  10. ClickCreate.
  11. In theRulesection, enterTrue. ClickCreate.
  12. ClickBind.
  13. Notice the two factors of authentication. ClickCloseand clickDone.

Traffic policy for single sign-on

  1. Navigate toCitrix Gateway > Policies > Traffic
  2. On theTraffic Profilestab, clickAdd.
  3. Enter the name of the traffic profile.

  4. Scroll down, in the SSO Password Expression box, enter the following, and clickCreate. This is where we use the login schema password attribute specified for the second factor OTP.

    AAA.USER.ATTRIBUTE(1)

  5. On theTraffic Policiestab, clickAdd.

  6. In theNamefield, enter a name for the traffic policy.

  7. In theRequest Profilefield, select the traffic profile you created.

  8. In the Expression box, enterTrue. If your Citrix Gateway virtual server allows full VPN, change the expression to the following.

    http.req.method.eq(post)||http.req.method.eq(get) && false

  9. ClickCreate.

  10. Bind the traffic policy to a VPN virtual server.

    • Navigate toSecurity > AAA - Application Traffic > Authentication Profile.
    • Configure the authentication profile by selecting the NetScaler Gateway virtual server and then clickOK.
    • Navigate toCitrix Gateway > Citrix Gateway Virtual Serversand select the NetScaler Gateway virtual server. TheVPN Virtual Serverpage appears.
    • In thePoliciessection, click the + icon.
    • Select the policy type asTrafficand clickContinue.
    • Select the traffic policy and clickBind.
    • ClickDone.

Configure content switching policy for manage OTP

The following configurations are required if you are using Unified Gateway.

  1. Navigate toTraffic Management > Content Switching > Policies. Select the content switching policy, right click, and selectEdit.

  2. Edit the expression to evaluate the following OR statement and clickOK:

    is_vpn_url || HTTP.REQ.URL.CONTAINS("manageotp")

Configure Native OTP using the CLI

You must have the following information to configure the OTP device management page:

  • IP assigned to authentication virtual server
  • FQDN corresponding to the assigned IP
  • Server certificate for authentication virtual server

Note:

Native OTP is a web-based solution only.

To configure the OTP device registration and management page

Create authentication virtual server

``` add authentication vserver authvs SSL 1.2.3.5 443 bind authentication vserver authvs -portaltheme RFWebUI bind ssl vserver authvs -certkeyname otpauthcert  ```

Note:

The authentication virtual server must be bound to the RFWebUI portal theme. Bind a server certificate to the server. The server IP ‘1.2.3.5’ must have a corresponding FQDN that is, otpauth.server.com, for later use.

To create LDAP logon action

add authentication ldapAction  -serverIP  - serverPort  -ldapBase  -ldapBindDn  -ldapBindDnPassword  -ldapLoginName

Example:

add authentication ldapAction ldap_logon_action -serverIP 1.2.3.4 -serverPort 636 -ldapBase "OU=Users,DC=server,DC=com" -ldapBindDn administrator@ctxnsdev.com -ldapBindDnPassword PASSWORD -ldapLoginName userprincipalname

To add authentication policy for LDAP Logon

add authentication Policy auth_pol_ldap_logon -rule true -action ldap_logon_action

To present UI via LoginSchema

Show user name field and password field to users upon logon

add authentication loginSchema lschema_single_auth_manage_otp -authenticationSchema "/nsconfig/loginschema/LoginSchema/SingleAuthManageOTP.xml"

Display device registration and management page

Citrix recommends two ways of displaying the device registration and management screen: URL or host name.

Note:

Currently, device registration and device management can be performed only using a browser.

  • Using URL

    When the URL contains ‘/manageotp’

    • add authentication loginSchemaPolicy lpol_single_auth_manage_otp_by_url -rule "http.req.cookie.value("NSC_TASS").contains("manageotp")" -action lschema_single_auth_manage_otp
    • bind authentication vserver authvs -policy lpol_single_auth_manage_otp_by_url -priority 10 -gotoPriorityExpression END

  • Using hostname

    When the host name is ‘alt.server.com’

    • add authentication loginSchemaPolicy lpol_single_auth_manage_otp_by_host -rule "http.req.header("host").eq("alt.server.com")" -action lschema_single_auth_manage_otp
    • bind authentication vserver authvs -policy lpol_single_auth_manage_otp_by_host -priority 20 -gotoPriorityExpression END

To configure the user login page using the CLI

You must have the following information to configure the User Logon page:

  • IP for a load balancing virtual server
  • Corresponding FQDN for the load balancing virtual server

  • Server certificate for the load balancing virtual server

    bind ssl vserver lbvs_https -certkeyname lbvs_server_cert

Back-end service in load balancing is represented as follows:

``` add service iis_backendsso_server_com 1.2.3.210 HTTP 80 bind lb vserver lbvs_https iis_backendsso_server_com  ```

To create OTP passcode validation action

add authentication ldapAction  -serverIP  -serverPort  -ldapBase  -ldapBindDn  -ldapBindDnPassword  -ldapLoginName  -authentication DISABLED -OTPSecret

Example:

add authentication ldapAction ldap_otp_action -serverIP 1.2.3.4 -serverPort 636 -ldapBase "OU=Users,DC=server,DC=com" -ldapBindDn administrator@ctxnsdev.com -ldapBindDnPassword PASSWORD -ldapLoginName userprincipalname -authentication DISABLED -OTPSecret userParameters

Important:

The difference between the LDAP logon and OTP action is the need to disable the authentication and introduce a new parameterOTPSecret. Do not use the AD attribute value.

To add authentication policy for OTP passcode validation

add authentication Policy auth_pol_otp_validation -rule true -action ldap_otp_action

To present the two-factor authentication through LoginSchema

Add the UI for two factor authentication.

add authentication loginSchema lscheme_dual_factor -authenticationSchema "/nsconfig/loginschema/LoginSchema/DualAuth.xml" add authentication loginSchemaPolicy lpol_dual_factor -rule true -action lscheme_dual_factor

To create passcode validation factor via the policy label

Create a manage OTP flow policy label for the next factor (first factor is LDAP logon)

add authentication loginSchema lschema_noschema -authenticationSchema noschema add authentication policylabel manage_otp_flow_label -loginSchema lschema_noschema

To bind the OTP policy to the policy label

bind authentication policylabel manage_otp_flow_label -policyName auth_pol_otp_validation -priority 10 -gotoPriorityExpression NEXT

To bind the UI flow

Bind the LDAP logon followed by the OTP validation with the authentication virtual server.

bind authentication vserver authvs -policy auth_pol_ldap_logon -priority 10 -nextFactor manage_otp_flow_label -gotoPriorityExpression NEXT bind authentication vserver authvs -policy lpol_dual_factor -priority 30 -gotoPriorityExpression END

To create a traffic policy for single sign-on and bind it to a VPN virtual server

add vpn trafficAction vpn_html_pol http -userExpression aaa.user.attribute(1) -passwdExpression aaa.user.attribute(2) add vpn trafficpolicy tf1 'http.req.method.eq(post)||http.req.method.eq(get) && false' vpn_html_pol bind vpn vserver vpn1 -policy tf1 -priority 10

Register your device with Citrix ADC

  1. On your browser, navigate to your Citrix ADC FQDN (first public facing IP), with a /manageotp suffix. For example,https://otpauth.server.com/manageotpLogin with user credentials.

  2. Click the+icon to add a device.

    Gateway logon page

  3. Enter a device name and pressGo. A barcode appears on the screen.
  4. ClickBegin Setupand then clickScan Barcode.

  5. Hover the device camera over the QR code. You can optionally enter the code.

    QR code

    Note:

    The displayed QR code is valid for 3 minutes.

  6. Upon successful scan, you are presented with a 6 digit time sensitive code that can be used to log in.

    Logon success message

  7. To test, clickDoneon the QR screen, then click the green check mark on the right.
  8. Select your device from the drop-down menu and enter the code from Google Authenticator (must be blue, not red) and clickGo.
  9. Make sure to log out using the drop-down menu at the top right corner of the page.

Log in to Citrix ADC using the OTP

  1. Navigate to your first public-facing URL and enter your OTP from Google Authenticator to log on.

  2. Authenticate to the Citrix ADC splash page.

    ADC authentication page

Native OTP support for authentication
September 7, 2023
Contributed by:
H C
September 7, 2023
Contributed by:
H C

In this article

Site feedback | Privacy and legal terms | Cookie preferences | Consent settings | docs.cloud.com
© 1999-Cloud Software Group, Inc. All rights reserved.