Setup Citrix Access Gateway Enterprise Edition (NetScaler) for use of multiple authentication methods.

Transcription

1 Nordic Edge One Time Password (OTP Server) has a comprehensive RADIUS support, including support for multiple authentication methods. This means that the end user can choose authentication method: SMS, the software token Pledge or OATH-compliant tokens. This step by step guide explains how you set up the Citrix Access Gateway Enterprise Edition (NetScaler) and the Nordic Edge OTP Server with multiple authentication methods. In this example, we are going to set up two methods, SMS and Pledge. 1 Prerequisites 2 Multiple authentication methods 3 Configuring Citrix NetScaler 3.1 Add multiple authentication function to the Citrix NetScaler login page Backup files in Citrix NetScaler 3.2 Update Citrix NetScaler startup script 3.3 Add multiple authentication methods to NetScaler configuration Restart Citrix NetScaler 4 Configure the One Time Password Server for use of multiple authentication methods. 4.1 Create databases for Citrix Authentication Methods 4.2 Configure OTP Server Clients for your authentication methods Create OTP Server client for SMS authentication Create OTP Server Client for Pledge authentication Restart OTP Server Test authentication with multiple authentication methods 5 Technical questions

2 1 Prerequisites The guide begins with instructions for setting up the Citrix NetScaler and OTP Server with Pledge: You need to have the following installed before you begin: OTP Server Citrix NetScaler and XenServer Start the OTP Configurator and verify the setup below: 1. Databases - MS Active Directory; The OTP Database points to a LDAP directory with user objects and mobile numbers. 2. Clients - My SSL-VPN Server; The OTP Client for Citrix NetScaler points to the MS Active Directory Database. 3. Delivery Methods: Nordic Edge SMS service needs to be enabled to send text messages with one-time passwords. 4. Misc - Identity Manager & Pledge Enrollment needs to be enabled.

3 2 Multiple authentication methods Citrix NetScaler and OTP Server integrate via RADIUS protocol. For multiple authentication methods, Citrix NetScaler sends which method the end user requires via RADIUS attribute to the OTP Server. This RADIUS attribute is called NAS ID in Citrix NetScaler and uses RADIUS attribute number Configuring Citrix NetScaler These are the main steps that need to be performed to configure Citrix NetScaler: 1. Add multiple authentication function in the login page. 2. Adjust startup script to use new login page. 3. Add authentication methods to NetScaler configuration. 3.1 Add multiple authentication function to the Citrix NetScaler login page Backup files in Citrix NetScaler

4 Changes will be made to the following files: /netscaler/ns_gui/vpn/index.html /nsconfig/rc.netscaler NOTE: Backup these files before continuing. - Add the configuration below to /netscaler/ns_gui/vpn/index.html. See this example index.html for instructions on where to place this configuration.  <script type="text/javascript"> function getcookie(name) { // use: getcookie("name"); var re = new RegExp(name + "=([^;]+)"); var value = re.exec(document.cookie); return (value!= null)? unescape(value[1]) : null; } var today = new Date(); var expiry = new Date(today.getTime() + 28 * 24 * 3600 * 1000); // plus 28 days var expired = new Date(today.getTime() - 24 * 3600 * 1000); // less 24 hours function setcookie(name, value) { // use: setcookie("name", value); document.cookie=name + "=" + escape(value) + "; path=/; expires=" + expiry.togmtstring(); } function storevalues(form) { setcookie("logonmethod", form.logonmethod.value); return true; } </script> <FORM method="post" action="/cgi/login" name="vpnform" autocomplete="off" style="margin:0" onsubmit="return storevalues(this); clean_name_cookie();">   <TR><TD align=center><span class="ctxmsam_logonfont" style="padding-right:10px;">logon method:</span></td> <TD><select name="logonmethod" size="1" style="width: 100px;"> <script type"text/javascript"> var logonmethod=getcookie("logonmethod"); var MyLogonMethods=["SMS","Pledge"]; for (var i = 0; i < MyLogonMethods.length; i++) { document.write("<option "); if (MyLogonMethods[i] == logonmethod) { document.write("selected=\"selected\" "); } document.write("value=\""+ MyLogonMethods[i] + "\">" + MyLogonMethods[i] + "</option>"); } </script> </select></td></tr>

5 3.2 Update Citrix NetScaler startup script Add "cp /var/vpn/vpn/index.html /netscaler/ns_gui/vpn/index.html" to /nsconfig/rc.netscaler Example 3.3 Add multiple authentication methods to NetScaler configuration In this step we will configure the Citrix NetScaler Authentication Server with policies corresponding to SMS and Pledge. This configuration will then be associated with the NetScaler Virtual Server. Information about authentication methods will be sent via a RADIUS attribute. - Browse to the Citrix NetScaler configuration. Example: - Add Authentication Server. - Expand Access Gateway, then Policies, click on Authentication. - Click on Servers-tab and click on the Add-button.

6 - Type "SMS" as the name of the Authentication Server. - Choose RADIUS as Authentication Type. - Type the IP adress to the OTP Server. - Change the Time-out to Type a Secret Key. Enter the same key in OTP Server (it's called shared secret in OTP Server). - Type "SMS" as the NAS ID. - Click Create.

7 Create one more Authentication Server for Pledge (Reuse the window or click the add-button again). - Type "Pledge" as the name of the Authentication Server. - Choose RADIUS as Authentication Type - Type the IP adress to the OTP Server. - Change the Time-out to Type a Secret Key. Enter the same key in OTP Server (it's called shared secret in OTP Server). - Type "SMS" as the NAS ID.

8 Add Authentication Policy - Click on the Policies tab and click on Add-button. - Type "SMS Server" as the name. - Select RADIUS as Authentication Type. - Select SMS as Server. - Click on Add-button.

9 - Select HEADER as Qualifier. - Select CONTAINS as Operator. - Type "SMS" as Value. - Type "Cookie" as Header Name. - Verify that the settings are according to the example below and click Create.

10 - Create another Authentication Policy for Pledge. (Reuse the window or click the add-button again). - Enter Pledge Server as name. - Select RADIUS Authentication Type. - Select Server Pledge. - Click on Modify-button.

11 - Change to Operator to CONTAINS. - Type "Pledge" as Value. - Click on OK. - Verify that the settings are according to the example below and click Create.

12 Connect Authentication Policy to your Citrix Virtual Server - Click on Access Gateway, then on Virtual Servers. Select the Virtual Server, in this guide called vs1. - Click on Open.

13 - Click on the Authentication tab. - Click on Insert Policy.

14 - Select SMS Server. - Repeat this step and select Pledge Server. - Verify that the settings are according to the example below and click Create.

15 - Click on Save to save all settings.

16 Restart Citrix NetScaler - Click on System, then the Reboot-button.

17

18 4 Configure the One Time Password Server for use of multiple authentication methods. In this step we will configure OTP Clients and OTP Databases that correspond to the authentication methods used by Citrix NetScaler. 1. Create OTP Databases for SMS and Pledge authentication. 2. Create OTP Clients with Client Name for SMS and Pledge authentication. Start the One Time Password Server Configurator 4.1 Create databases for Citrix Authentication Methods Expand Databases and click on the MS Active Directory database.

19 In this example we will rename the OTP Database to clarify its use for authentication with one-time passwords via SMS. - Type "SMS AD" as Database Display Name and click on Save Config.

20 - Create a new OTP Database for Pledge authentication by right clicking on the database called SMS AD in the left pane. Choose Duplicate Database.

21 - Type Pledge AD as Database Display Name. - Select Use HOTP or TOTP (OATH). - Change OTP Attribute to the attribute used for Pledge OATH keys. In this guide we use the carlicense attribute. NOTE: The administrator account used for this database (Admin DN) requires modification rights for the attribute carlicense on all user objects in the LDAP directory to be able to update the counter for the Pledge OATH-key.

22

23 4.2 Configure OTP Server Clients for your authentication methods The Nordic Edge OTP Server Client supports RADIUS attribute detection. This means that the OTP Server can detect additional information sent by Citrix NetScaler. In this case, Citrix NetScaler sends extra attribute information regarding which authentication method the end user wants to authenticate with. Create OTP Server client for SMS authentication This client will be used by Citrix NetScaler for authentication with SMS. - Expand Clients and click on the "My SSL-VPN Server" client. This was created with the Step by step guide to implement SMS authentication to Citrix Access Gateway Enterprise Edition - Change the Client Display name to NetScaler SMS. - Click on the Advanced-button. - Select Enable Attribute Detection

24 - Set RADIUS attribute number to 32 - Type SMS as RADIUS attribute value INFO: RADIUS attribute number and value corresponds to the NAS ID setting in Citrix NetScaler Authentication Server. - Verify that the settings are according to the example below and click Save config.

25

26 Create OTP Server Client for Pledge authentication This client will be used by Citrix NetScaler for authentication with Pledge. - Select the NetScaler SMS Client and right click. Click on Duplicate Client. - Change the Client Display name to NetScaler Pledge. - Click on the Advanced-button.

27 - Change RADIUS attribute value to Pledge - Click on OK

28 - Select SMS AD database as the User Database - Click on Save

29 Restart OTP Server - Close the OTP Configurator and shut down the OTP Server.

30 - Start your OTP Server service again. You have now configured Citrix NetScaler and the Nordic Edge OTP Server for use with multiple authentication methods.

31 Test authentication with multiple authentication methods End users can now chose between different authentication methods on the Citrix NetScaler login page. Browse to the NetScaler URL. Select the required authentication method, in this case SMS and Pledge. Then type your username and password. Note: NetScaler will remember logon method last used by the end user.

32