Native OTP support for authentication

Citrix Gateway supports one-time passwords (OTPs) without having to use a third-party server. One-time password is a highly secure option for authenticating to secure servers as the number or passcode generated is random. Previously, specialized firms, such as RSA with specific devices that generate random numbers offered the OTPs. This system must be in constant communication with the client to generate a number expected by the server.

In addition to reducing capital and operating expenses, this feature enhances the administrator’s control by keeping the entire configuration on the Citrix ADC appliance.

Note:

Because third-party servers are no longer needed, the Citrix ADC administrator has to configure an interface to manage and validate user devices.

User must be registered with a Citrix Gateway virtual server to use the OTP solution. Registration is required only once per unique device, and can be restricted to certain environments. Configuring and validation of a registered user is similar to configuring an extra authentication policy.

Advantages of native OTP support

• Reduces operating cost by eliminating the need to have an extra infrastructure on an authenticating server in addition to the Active Directory.
• Consolidates configuration only to Citrix ADC appliance thus offering great control to administrators.
• Eliminates the client’s dependence on an extra authentication server for generating a number expected by clients.

Native OTP workflow

The native OTP solution is a two-fold process and the workflow is classified as the following:

• Device registration
• End user login

Important: You can skip the registration process if you are using third-party solutions or managing other devices apart from the Citrix ADC appliance. The final string that you add must be in the Citrix ADC specified format.

The following figure depicts the device registration flow to register a new device to receive OTP.

Note:

The device registration can be done using any number of factors. The single factor (as specified in the previous figure) is used as an example to explain the device registration process.

The following figure depicts the verification of OTP through the registered device.

Prerequisites

To use the native OTP feature, ensure the following prerequisites are met.

• Citrix ADC feature release version is 12.0 build 51.24 and later.
• Advanced or Premium edition license is installed on Citrix Gateway.
• Citrix Gateway is configured with management IP and the management console is accessible both using a browser and command line.
• Citrix ADC is configured with authentication, authorization, and auditing virtual server to authenticate users.
• Citrix ADC appliance is configured with Unified Gateway and the authentication, authorization, and auditing profile is assigned to the Gateway virtual server.
• Native OTP solution is restricted to nFactor authentication flow. Advanced policies are required to configure the solution. For more details, see article CTX222713.

Also ensure the following for Active Directory:

• A minimum attribute length of 256 characters.
• Attribute type must be ‘DirectoryString’ such as UserParameters. These attributes can hold string values.
• Attribute string type must be Unicode, if device name is in non-English characters.
• Citrix ADC LDAP administrator must have write access to the selected AD attribute.
• Citrix ADC appliance and client machine must be synced to a common Network Time Server.

Configure Native OTP using the GUI

The native OTP registration is not just a single factor authentication. The following sections help you to configure the single and second factor authentication.

Create Login Schema for first factor

1. Navigate to Security AAA > Application Traffic > Login Schema.
2. Go to Profiles and click Add.
3. On the Create Authentication Login Schema page, enter lschema_single_auth_manage_otp under the Name field and click Edit next to noschema.
4. Click the LoginSchema folder.
5. Scroll down to select SingleAuth.xml and click Select.
6. Click Create.
7. Click Policies and Click Add.

8. On the Create Authentication Login Schema Policy screen, enter the following values.

   Name: lpol_single_auth_manage_otp_by_url Profile: select lpol_single_auth_manage_otp_by_url from the list. Rule: HTTP.REQ.COOKIE.VALUE("NSC_TASS").EQ("manageotp")

Configure authentication, authorization, and auditing virtual server

1. Navigate to Security > AAA – Application Traffic > Authentication Virtual Servers. Click to edit the existing virtual server.
2. Click the + icon next to Login Schemas under Advanced Settings in the right pane.
3. Select No Login Schema.
4. Click the arrow and select the lpol_single_auth_manage_otp_by_url policy.
5. Select the lpol_single_auth_manage_otp_by_url policy and Click Select.
6. Click Bind.
7. Scroll up and select 1 Authentication Policy under Advanced Authentication Policy.
8. Right-click the nFactor Policy and select Edit Binding.
9. Click the + icon present under Select Next Factor, create a Next Factor, and click Bind.

10. On the Create Authentication PolicyLabel screen, enter the following, and click Continue:

    Name: manage_otp_flow_label

    Login Schema: Lschema_Int

11. On the Authentication PolicyLabel screen, click the + icon to create a Policy.

12.  On the Create Authentication Policy screen, enter the following:

    Name: auth_pol_ldap_otp_action

13. Select the Action type using the Action Type list.
14. In the Action field, click the + icon to create an Action.

15.  In the Create Authentication LDAP server page, select Server IP radio button, deselect the check box next to Authentication, enter the following values, and select Test Connection.

    Name: ldap_otp_action

    IP Address: 192.168.10.11

    Base DN: DC=training, DC=lab

    Administrator: Administrator@training.lab

    Password: xxxxx

16. Scroll down to the Other Settings section. Use the drop-down menu to select the following options. Server Logon Name Attribute as New and type userprincipalname.
17. Use the drop-down menu to select SSO Name Attribute as New and type userprincipalname.
18. Enter “UserParameters” in the OTP Secret field and click More.

19. Enter the following Attributes.

    Attribute 1 = mail Attribute 2 = objectGUID Attribute 3 = immutableID

20. Click OK.
21. On the Create Authentication Policy page, set the Expression to true and click Create.
22. On the Create Authentication Policylabel page, click Bind, and click Done.
23. On the Policy Binding page, click Bind.
24. On the Authentication policy page, click Close and click Done.

Note:

The authentication virtual server must be bound to the RFWebUI portal theme. Bind a server certificate to the server. The server IP ‘1.2.3.5’ must have a corresponding FQDN that is, otpauth.server.com, for later use.

Create login schema for second factor OTP

1. Navigate to Security > AAA-Application Traffic > Virtual Servers. Select the virtual server to be edited.
2. Scroll down and select 1 Login Schema.
3. Click Add Binding.
4. Under the Policy Binding section, click the + icon to add a policy.
5. On the Create Authentication Login Schema Policy page, enter Name as OTP, and click the + icon to create a profile.
6. On the Create Authentication Login Schema page, enter Name as OTP, and click the icon next to noschema.
7. Click the LoginSchema folder, select DualAuthManageOTP.xml, and then click Select.
8. Click Create.
9. In the Rule section, enter True. Click Create.
10. Click Bind.
11. Notice the two factors of authentication. Click Close and click Done.

Configure content switching policy for manage OTP

The following configurations are required if you are using Unified Gateway.

1. Navigate to Traffic Management > Content Switching > Policies. Select the content switching policy, right click, and select Edit.

2. Edit the expression to evaluate the following OR statement and click OK:

Configure Native OTP using the CLI

You must have the following information to configure the OTP device management page:

• IP assigned to authentication virtual server
• FQDN corresponding to the assigned IP
• Server certificate for authentication virtual server

Note:

Native OTP is a web-based solution only.

To configure the OTP device registration and management page

Create authentication virtual server

add authentication vserver authvs SSL 1.2.3.5 443
bind authentication vserver authvs -portaltheme RFWebUI
bind ssl vserver authvs -certkeyname otpauthcert
<!--NeedCopy-->