Setup Citrix Access Gateway Enterprise Edition (NetScaler) for use of multiple authentication methods.



Similar documents
Step by Step Guide to implement SMS authentication to F5 Big-IP APM (Access Policy Manager)

Step by step guide to implement SMS authentication to Cisco ASA Clientless SSL VPN and Cisco VPN

1 Summary. Step by Step Guide to implement SMS authentication to Bluecoat ProxySG

MICROSOFT ISA SERVER 2006

INTEGRATION GUIDE. DIGIPASS Authentication for Citrix NetScaler (with AGEE)

External Authentication with Citrix Secure Gateway - Presentation server Authenticating Users Using SecurAccess Server by SecurEnvoy

How To Integrate Watchguard Xtm With Secur Access With Watchguard And Safepower 2Factor Authentication On A Watchguard 2T (V2) On A 2Tv 2Tm (V1.2) With A 2F

INTEGRATION GUIDE. DIGIPASS Authentication for Juniper SSL-VPN

McAfee One Time Password

DIGIPASS Authentication for GajShield GS Series

External authentication with Fortinet Fortigate UTM appliances Authenticating Users Using SecurAccess Server by SecurEnvoy

External Authentication with Windows 2012 R2 Server with Remote Desktop Web Gateway Authenticating Users Using SecurAccess Server by SecurEnvoy

External Authentication with Windows 2003 Server with Routing and Remote Access service Authenticating Users Using SecurAccess Server by SecurEnvoy

DIGIPASS Authentication for Citrix Access Gateway VPN Connections

OTP Server Integration Module

DIGIPASS Pack for Citrix on WI 4.5 does not detect a login attempt. Creation date: 28/02/2008 Last Review: 04/03/2008 Revision number: 2

IIS SECURE ACCESS FILTER 1.3

Citrix Netscaler Advanced guide for SMS PASSCODE SMS PASSCODE 2014

DIGIPASS Authentication for Sonicwall Aventail SSL VPN

External Authentication with Juniper SSL VPN appliance Authenticating Users Using SecurAccess Server by SecurEnvoy

Configuring Steel-Belted RADIUS Proxy to Send Group Attributes

Authentication in XenMobile 8.6 with a Focus on Client Certificate Authentication

SchoolBooking SSO Integration Guide

External authentication with Astaro AG Astaro Security Gateway UTM appliances Authenticating Users Using SecurAccess Server by SecurEnvoy

DIGIPASS Authentication for Cisco ASA 5500 Series

External Authentication with Cisco ASA Authenticating Users Using SecurAccess Server by SecurEnvoy

Active Directory Authentication Integration

DIGIPASS Authentication for Check Point Connectra

HOTPin Integration Guide: DirectAccess

Multi-factor Authentication using Radius

External Authentication with Cisco VPN 3000 Concentrator Authenticating Users Using SecurAccess Server by SecurEnvoy

Configuring Global Protect SSL VPN with a user-defined port

External Authentication with Citrix Access Gateway Advanced Edition

ZyWALL OTP Co works with Active Directory Not Only Enhances Password Security but Also Simplifies Account Management

DIGIPASS Authentication for Check Point Security Gateways

Coillte IT has recently upgraded the Remote Access Solution to a new platform.

NSi Mobile Installation Guide. Version 6.2

Business Banking Customer Login Experience for Enhanced Login Security

NetIQ Advanced Authentication Framework

Integration Guide. Swivel Secure Authentication

Dell SonicWALL and SecurEnvoy Integration Guide. Authenticating Users Using SecurAccess Server by SecurEnvoy

INTEGRATION GUIDE. DIGIPASS Authentication for F5 FirePass

Configure Single Sign on Between Domino and WPS

ipad or iphone with Junos Pulse and Juniper SSL VPN appliance Authenticating Users Using SecurAccess Server by SecurEnvoy

NovaBACKUP xsp Version 15.0 Upgrade Guide

Full disk encryption with Sophos Safeguard Enterprise With Two-Factor authentication of Users Using SecurAccess by SecurEnvoy

OTP Server Integration Module

SecurEnvoy IIS Web Agent. Version 7.2

Configuring the Palo Alto Firewall for use with Juniper Steel-Belted RADIUS.

Installation Guide v3.0


Configuring User Identification via Active Directory

External Authentication with Windows 2008 Server with Routing and Remote Access Service Authenticating Users Using SecurAccess Server by SecurEnvoy

Adobe Connect LMS Integration for Blackboard Learn 9

Product Guide Revision A. McAfee One Time Password 4.1.0

Palo Alto Networks GlobalProtect VPN configuration for SMS PASSCODE SMS PASSCODE 2015

External Authentication with Checkpoint R75.40 Authenticating Users Using SecurAccess Server by SecurEnvoy

How To Configure Windows Server 2008 as a RADIUS Server with MS-CHAP v2 Authentication

Configuring Sponsor Authentication

BlackShield ID Best Practice

Siteminder Integration Guide

Use Enterprise SSO as the Credential Server for Protected Sites

Compiled By: Chris Presland v th September. Revision History Phil Underwood v1.1

INTEGRATION GUIDE. IDENTIKEY Federation Server for Juniper SSL-VPN

Cloud Authentication. Getting Started Guide. Version

ADFS Integration Guidelines

WiNG5 CAPTIVE PORTAL DESIGN GUIDE

Configuring the Cisco ISA500 for Active Directory/LDAP and RADIUS Authentication

DualShield. for. Microsoft TMG. Implementation Guide. (Version 5.2) Copyright 2011 Deepnet Security Limited

NetMotion + YubiRADIUS Quick Start Guide

SalesForce SSO with Active Directory Federated Services (ADFS) v2.0 Authenticating Users Using SecurAccess Server by SecurEnvoy

How to configure MAC authentication on a ProCurve switch

Strong Authentication for Juniper Networks SSL VPN

Accessing the FTP Server - User Manual

App Orchestration 2.5

INTEGRATION GUIDE. DIGIPASS Authentication for Cisco ASA 5505

Juniper SSL VPN Authentication QUICKStart Guide

SecurEnvoy Windows Login Agent

netld External Authentication Setup Guide

Automated backup. of the LumaSoft Gas database

How To Connect A Gemalto To A Germanto Server To A Joniper Ssl Vpn On A Pb.Net 2.Net (Net 2) On A Gmaalto.Com Web Server

Managing User Accounts

Defender EAP Agent Installation and Configuration Guide

IIS, FTP Server and Windows

FortiAuthenticator Agent for Microsoft IIS/OWA. Install Guide

Avatier Identity Management Suite

Digipass Plug-In for IAS troubleshooting guide. Creation date: 15/03/2007 Last Review: 24/09/2007 Revision number: 3

ESET SECURE AUTHENTICATION. SonicWall SSL VPN Integration Guide

ActivIdentity 4TRESS AAA Web Tokens and SSL VPN Fortinet Secure Access. Integration Handbook

Cloud Services ADM. Agent Deployment Guide

Two-Factor Authentication

DIGIPASS Authentication for Juniper ScreenOS

Configuration Guide. BES12 Cloud

Free Multi-Factor Authentication. Using and SMS in Enterprise/Random Password Manager (E/RPM)

V Series Rapid Deployment Version 7.5

Application Server Installation

Implementation Guide for. Juniper SSL VPN SSO with OWA. with. BlackShield ID

System Area Management Software Tool Tip: Integrating into NetIQ AppManager


DIGIPASS Authentication for SonicWALL SSL-VPN

Transcription:

Nordic Edge One Time Password (OTP Server) has a comprehensive RADIUS support, including support for multiple authentication methods. This means that the end user can choose authentication method: SMS, the software token Pledge or OATH-compliant tokens. This step by step guide explains how you set up the Citrix Access Gateway Enterprise Edition (NetScaler) and the Nordic Edge OTP Server with multiple authentication methods. In this example, we are going to set up two methods, SMS and Pledge. 1 Prerequisites 2 Multiple authentication methods 3 Configuring Citrix NetScaler 3.1 Add multiple authentication function to the Citrix NetScaler login page Backup files in Citrix NetScaler 3.2 Update Citrix NetScaler startup script 3.3 Add multiple authentication methods to NetScaler configuration Restart Citrix NetScaler 4 Configure the One Time Password Server for use of multiple authentication methods. 4.1 Create databases for Citrix Authentication Methods 4.2 Configure OTP Server Clients for your authentication methods Create OTP Server client for SMS authentication Create OTP Server Client for Pledge authentication Restart OTP Server Test authentication with multiple authentication methods 5 Technical questions

1 Prerequisites The guide begins with instructions for setting up the Citrix NetScaler and OTP Server with Pledge: - http://support.nordicedge.se/step-by-step-guide-to-implement-pledge-enrollment-to-otpserver-3 - http://support.nordicedge.se/step-by-step-guide-to-implement-sms-authentication-to-citrix-accessgateway-enterprise-edition You need to have the following installed before you begin: OTP Server Citrix NetScaler and XenServer Start the OTP Configurator and verify the setup below: 1. Databases - MS Active Directory; The OTP Database points to a LDAP directory with user objects and mobile numbers. 2. Clients - My SSL-VPN Server; The OTP Client for Citrix NetScaler points to the MS Active Directory Database. 3. Delivery Methods: Nordic Edge SMS service needs to be enabled to send text messages with one-time passwords. 4. Misc - Identity Manager & Pledge Enrollment needs to be enabled.

2 Multiple authentication methods Citrix NetScaler and OTP Server integrate via RADIUS protocol. For multiple authentication methods, Citrix NetScaler sends which method the end user requires via RADIUS attribute to the OTP Server. This RADIUS attribute is called NAS ID in Citrix NetScaler and uses RADIUS attribute number 32. 3 Configuring Citrix NetScaler These are the main steps that need to be performed to configure Citrix NetScaler: 1. Add multiple authentication function in the login page. 2. Adjust startup script to use new login page. 3. Add authentication methods to NetScaler configuration. 3.1 Add multiple authentication function to the Citrix NetScaler login page Backup files in Citrix NetScaler

Changes will be made to the following files: /netscaler/ns_gui/vpn/index.html /nsconfig/rc.netscaler NOTE: Backup these files before continuing. - Add the configuration below to /netscaler/ns_gui/vpn/index.html. See this example index.html for instructions on where to place this configuration. <!-- Nordic Edge Start --> <script type="text/javascript"> function getcookie(name) { // use: getcookie("name"); var re = new RegExp(name + "=([^;]+)"); var value = re.exec(document.cookie); return (value!= null)? unescape(value[1]) : null; } var today = new Date(); var expiry = new Date(today.getTime() + 28 * 24 * 3600 * 1000); // plus 28 days var expired = new Date(today.getTime() - 24 * 3600 * 1000); // less 24 hours function setcookie(name, value) { // use: setcookie("name", value); document.cookie=name + "=" + escape(value) + "; path=/; expires=" + expiry.togmtstring(); } function storevalues(form) { setcookie("logonmethod", form.logonmethod.value); return true; } </script> <FORM method="post" action="/cgi/login" name="vpnform" autocomplete="off" style="margin:0" onsubmit="return storevalues(this); clean_name_cookie();"> <!-- Nordic Edge modification End --> <!-- Nordic Edge modification Start --> <TR><TD align=center><span class="ctxmsam_logonfont" style="padding-right:10px;">logon method:</span></td> <TD><select name="logonmethod" size="1" style="width: 100px;"> <script type"text/javascript"> var logonmethod=getcookie("logonmethod"); var MyLogonMethods=["SMS","Pledge"]; for (var i = 0; i < MyLogonMethods.length; i++) { document.write("<option "); if (MyLogonMethods[i] == logonmethod) { document.write("selected=\"selected\" "); } document.write("value=\""+ MyLogonMethods[i] + "\">" + MyLogonMethods[i] + "</option>"); } </script> </select></td></tr> <!-- Nordic Edge modificationend -->

3.2 Update Citrix NetScaler startup script Add "cp /var/vpn/vpn/index.html /netscaler/ns_gui/vpn/index.html" to /nsconfig/rc.netscaler Example 3.3 Add multiple authentication methods to NetScaler configuration In this step we will configure the Citrix NetScaler Authentication Server with policies corresponding to SMS and Pledge. This configuration will then be associated with the NetScaler Virtual Server. Information about authentication methods will be sent via a RADIUS attribute. - Browse to the Citrix NetScaler configuration. Example: https://192.168.0.94 - Add Authentication Server. - Expand Access Gateway, then Policies, click on Authentication. - Click on Servers-tab and click on the Add-button.

- Type "SMS" as the name of the Authentication Server. - Choose RADIUS as Authentication Type. - Type the IP adress to the OTP Server. - Change the Time-out to 25. - Type a Secret Key. Enter the same key in OTP Server (it's called shared secret in OTP Server). - Type "SMS" as the NAS ID. - Click Create.

Create one more Authentication Server for Pledge (Reuse the window or click the add-button again). - Type "Pledge" as the name of the Authentication Server. - Choose RADIUS as Authentication Type - Type the IP adress to the OTP Server. - Change the Time-out to 25. - Type a Secret Key. Enter the same key in OTP Server (it's called shared secret in OTP Server). - Type "SMS" as the NAS ID.

Add Authentication Policy - Click on the Policies tab and click on Add-button. - Type "SMS Server" as the name. - Select RADIUS as Authentication Type. - Select SMS as Server. - Click on Add-button.

- Select HEADER as Qualifier. - Select CONTAINS as Operator. - Type "SMS" as Value. - Type "Cookie" as Header Name. - Verify that the settings are according to the example below and click Create.

- Create another Authentication Policy for Pledge. (Reuse the window or click the add-button again). - Enter Pledge Server as name. - Select RADIUS Authentication Type. - Select Server Pledge. - Click on Modify-button.

- Change to Operator to CONTAINS. - Type "Pledge" as Value. - Click on OK. - Verify that the settings are according to the example below and click Create.

Connect Authentication Policy to your Citrix Virtual Server - Click on Access Gateway, then on Virtual Servers. Select the Virtual Server, in this guide called vs1. - Click on Open.

- Click on the Authentication tab. - Click on Insert Policy.

- Select SMS Server. - Repeat this step and select Pledge Server. - Verify that the settings are according to the example below and click Create.

- Click on Save to save all settings.

Restart Citrix NetScaler - Click on System, then the Reboot-button.

4 Configure the One Time Password Server for use of multiple authentication methods. In this step we will configure OTP Clients and OTP Databases that correspond to the authentication methods used by Citrix NetScaler. 1. Create OTP Databases for SMS and Pledge authentication. 2. Create OTP Clients with Client Name for SMS and Pledge authentication. Start the One Time Password Server Configurator 4.1 Create databases for Citrix Authentication Methods Expand Databases and click on the MS Active Directory database.

In this example we will rename the OTP Database to clarify its use for authentication with one-time passwords via SMS. - Type "SMS AD" as Database Display Name and click on Save Config.

- Create a new OTP Database for Pledge authentication by right clicking on the database called SMS AD in the left pane. Choose Duplicate Database.

- Type Pledge AD as Database Display Name. - Select Use HOTP or TOTP (OATH). - Change OTP Attribute to the attribute used for Pledge OATH keys. In this guide we use the carlicense attribute. NOTE: The administrator account used for this database (Admin DN) requires modification rights for the attribute carlicense on all user objects in the LDAP directory to be able to update the counter for the Pledge OATH-key.

4.2 Configure OTP Server Clients for your authentication methods The Nordic Edge OTP Server Client supports RADIUS attribute detection. This means that the OTP Server can detect additional information sent by Citrix NetScaler. In this case, Citrix NetScaler sends extra attribute information regarding which authentication method the end user wants to authenticate with. Create OTP Server client for SMS authentication This client will be used by Citrix NetScaler for authentication with SMS. - Expand Clients and click on the "My SSL-VPN Server" client. This was created with the Step by step guide to implement SMS authentication to Citrix Access Gateway Enterprise Edition - Change the Client Display name to NetScaler SMS. - Click on the Advanced-button. - Select Enable Attribute Detection

- Set RADIUS attribute number to 32 - Type SMS as RADIUS attribute value INFO: RADIUS attribute number and value corresponds to the NAS ID setting in Citrix NetScaler Authentication Server. - Verify that the settings are according to the example below and click Save config.

Create OTP Server Client for Pledge authentication This client will be used by Citrix NetScaler for authentication with Pledge. - Select the NetScaler SMS Client and right click. Click on Duplicate Client. - Change the Client Display name to NetScaler Pledge. - Click on the Advanced-button.

- Change RADIUS attribute value to Pledge - Click on OK

- Select SMS AD database as the User Database - Click on Save

Restart OTP Server - Close the OTP Configurator and shut down the OTP Server.

- Start your OTP Server service again. You have now configured Citrix NetScaler and the Nordic Edge OTP Server for use with multiple authentication methods.

Test authentication with multiple authentication methods End users can now chose between different authentication methods on the Citrix NetScaler login page. Browse to the NetScaler URL. Select the required authentication method, in this case SMS and Pledge. Then type your username and password. Note: NetScaler will remember logon method last used by the end user.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information