Deployment Guide: Learn how to configure Citrix Gateway to use nFactor to authenticate against a RADIUS server for MFA 编辑
Deployment Guide: Learn how to configure Citrix Gateway to use nFactor to authenticate against a RADIUS server for MFA
Overview
How to Configure Citrix Gateway to use nFactor to authenticate against a RADIUS server for Multi Factor Authentication (MFA).
This article covers how to configure Citrix ADC Gateway to use nFactor authentication for LDAP and RADIUS-based multifactor authentication and general troubleshooting techniques.
In this article, we assume your Citrix ADC has a Citrix Gateway implementation and RADIUS and LDAP servers.
This article also recommends connecting to your RADIUS and LDAP servers via local load balancing virtual servers, and assumes the load balancers have already been created. You can learn more about creating load-balancing virtual servers here
and about configuring RADIUS persistence on a load balancer here.
RADIUS Communication Overview
The RADIUS communication flow begins with an Access-Request packet from the client, in this case the Citrix ADC. The RADIUS server validates the client and authenticate the credentials received within the Access-Request. After validation, the RADIUS server responds with an Access-Accept, Reject, or a Challenge asking for further details from the user.
RADIUS servers have a list of valid clients and a shared secret for each. A RADIUS server usually ignore requests from invalid clients, but some implementations return authentication failures. The shared secret encrypts the password component of the credentials. When the shared secret is wrong, the server always rejects passwords because they don’t decrypt to the correct value.
By default, Citrix ADC sends RADIUS authentication requests from the NSIP of the active HA node and targets a single RADIUS server.
Rather than define the NSIPs of both ADCs in an HA pair as clients on your RADIUS servers, Citrix recommends the ADC send authentication requests via a local Load Balancing virtual server. The Load Balancing virtual server also adds resilience to your setup.
When Citrix ADC sends RADIUS requests via a local Load Balancing virtual server, the requests leave the ADC via a SNIP. SNIPs are floating IP addresses and are only available on the current primary HA node.
When using a Load Balancing (LB) virtual server, the NSIPs of the primary and secondary HA nodes make a request to a local VIP. The LB VIP sends to the RADIUS server using the HA pair’s SNIP.
RADIUS Troubleshooting tools
While most RADIUS implementations are performed without, it can be helpful to understand the most common troubleshooting tools.
The “/tmp/aaad.debug” authentication debug pipe on the Citrix ADC
You can view authentication events on the Citrix ADC by entering the BSH shell with “shell” and then viewing the aaad.debug pipe with “cat /tmp/aaad.debug”.
You can find more information on “aaad.debug” here: https://support.citrix.com/article/CTX114999
NTRadPing
NTRadPing is a third-party RADIUS testing tool you can use to generate RADIUS authentication requests and watch the response. You can download NTRadPing here:
Using NTRadPing, you can send RADIUS authentication requests directly from your client to the RADIUS server and ensure that it’s fully operational. On the RADIUS server, you’ll have to define your client’s IP address and a shared secret. You’ll also need firewall rules to let your client talk to the RADIUS server.
You can also use NTRadPing to send authentication requests to the LB virtual server on the ADC, which relays them to the RADIUS server. Since these requests come from the ADC, you’ll need the same shared secret in NTRadPing as ADC. You’ll also need firewall rules to let the client talk to the ADC’s RADIUS LB virtual server.
By testing each component separately, the test will isolate where a failure is occurring. Suppose you can send successful requests manually using the ADC’s RADIUS. In that case, you know the problem is with something before that, like the RADIUS server definition on your ADC, and you can focus your efforts.
NTRadPing consists of two files that you extract into the same directory from its compressed zip. On launch, NTRadPing prompts for:
- The RADIUS server and port
- The RADIUS secret
- A user name and password
- The Authentication request type
Depending on the test you’re performing, you’ll use the RADIUS server IP address or that of the ADC’s LB virtual server as the destination. Most commonly, on port 1812.
Set a RADIUS secret for your client if you’re sending queries directly. If you’re sending queries via the ADC’s LB virtual server to imitate authentication requests from Gateway, use the same shared secret as you have configured the ADC to use.The user name and password fields contain the credentials you expect the ADC to send to the RADIUS server on your behalf. Usually, the “password” field contains the user’s MFA token value.
When you click “Send,” NTRadPing sends an authentication request from your computer to the specified destination and displays the response (typically an Access-Accept or Access-Reject).
WireShark
You can examine the RADIUS request and response inside WireShark if you take a packet trace on the Citrix ADC during the authentication process.
WireShark is the world’s foremost and widely used network protocol analyzer. WireShark is free and available without here.
You can find WireShark’s RADIUS filter’s here.
You can find the steps to take a packet trace on a Citrix ADC here.
In WireShark, you’ll see an Access-Request packet followed by either an Access-Accept, Access-Reject, or Access-Challenge response.Missing responses often indicate a communication problem such as absent firewall rules or the RADIUS server not having a definition for the client.
GUI Instructions
Assuming that the configuration on your RADIUS servers is already complete, follow the following steps for the MFA authentication with Citrix Gateway:
Enable the Authentication, Authorization, and Auditing (AAA) feature
- If the AAA feature isn’t already enabled, navigate to, Security > AAA – Application Traffic, and right-click to enable the feature.
Add Authentication Servers
Select Security > AAA – Application Traffic, Policies, Authentication, Base Policies, RADIUS.
Populate details of your RADIUS server
Citrix recommends you don’t target an individual RADIUS server, but instead, target your Load Balancing virtual server. As such, use your RADIUS LB’s VIP as the Server IP in this page.The Secret Key must match the value on your RADIUS server for the ADC’s SNIP.Select Security > AAA – Application Traffic, Policies, Authentication, Base Policies, LDAP. Then, select the “Servers” tab and click “Add”.
Populate details of your LDAP target
Like RADIUS, Citrix recommends that you use a local Load Balancing (LB) virtual server as the destination. As such, use the VIP of your LDAP LB virtual server as the Server IP on this page.
Add Advanced Authentication Policies
Select, Security > AAA – Application Traffic, Policies, Authentication, Advanced Policies, Policy. Then, click “Add”.
Populate the policy details as shown and then click “Create”.
Repeat the step to create another policy for RADIUS and then click “Create”.
Create a AAA virtual server
Navigate to Configuration > Security > AAA - Application Traffic > Virtual Servers.
- Enter the following information and click OK.
Click the radio button next to a certificate for the AAA Virtual Server, and then click “Select”. The chosen certificate doesn’t matter because this server isn’t directly accessible.
Click “No Authentication Policy” within “Advanced Authentication Policies”.
Click “Click to select” under the field for “Select Policy”.
Click “Click to select” under the field for “Select Next Factor”.
Enter a name for the Policy Label the ADC uses to trigger RADIUS authentication and click “Continue”.
Click “Click to select” under the field for “Select Policy”.
Click “Bind” at the bottom of the “Create Authentication Policy Label” screen.
Click “Done” at the bottom of the “Authentication Policy Label” screen.
- Click “Bind” at the bottom of the “Policy Binding” screen.
Apply a Login Schema that presents the user with a user name, password, and passcode field
Click “Login Schemas” in the right-hand side “Advanced Settings” menu.
Click “No Login Schema” to present a window to select the schema.
Select the built-in “lschema_dual_factor_builtin” policy and click “Select”.
Click “Bind” and select “Done” to exit the AAA virtual server configuration menu.
Note: The “lschema_dual_factor_builtin” policy was added in ADC 13.0 firmware. If you’re using an earlier release then you need to create a policy. You can find instructions explaining how to create a policy here.
Configure your Gateway virtual server to use the new AAA server
Select “Citrix Gateway, Virtual Servers”, then select your Gateway virtual server and click “Edit”.
Select “Authentication Profile” in the right-hand side “Advanced Settings” menu.
Enter a name for the new authentication profile as show and then click “Click to select” under “Authentication Virtual Server”.
Select the AAA virtual server that we created earlier and click “Select”.
Perform testing
You’re now ready to use Multi-Factor Authentication on your Citrix Gateway virtual server.
If you come across any authentication challenges, please refer to the troubleshooting section of this document.
CLI Instructions
If you prefer to configure the ADC using the CLI, the following configuration script completes all necessary steps.
# 1. Enable AAAen ns feature aaa# 2. Creating LDAP Serveradd authentication ldapAction LDAP_for_Gateway -serverIP LDAP_LB_IP -serverPort 636 -ldapBase "DC=citrix,DC=lab" -ldapBindDn readonly@citrix.lab -ldapBindDnPassword PASSWORD -ldapLoginName sAMAccountName -groupAttrName memberOf# 3. Creating LDAP Policyadd authentication Policy LDAP_Pol -rule true -action LDAP_for_Gateway# 4. Creating RADIUS Serveradd authentication radiusAction RADIUS_Server -serverIP 192.168.1.100 -serverPort 1812 -radKey sharedsecret# 5. Create RADIUS Policyadd authentication Policy RADIUS_Pol -rule true -action RADIUS_Server# 6. Create a PolicyLabel triggering the RADIUS Policyadd authentication policylabel RADIUS_PolicyLabel -loginSchema LSCHEMA_INTbind authentication policylabel RADIUS_PolicyLabel -policyName RADIUS_Pol -priority 100# 7. Create the AAA virtual serveradd authentication vserver nFactorAuthvServer SSL 0.0.0.0# 8. Bind an SSL certificate to the AAA virtual serverbind ssl vserver nFactorAuthvServer -certkeyName "Example Cert"# 9. Bind the LDAP policy and RADIUS PolicyLabel to the AAA virtual serverbind authentication vserver nFactorAuthvServer -policy LDAP_Pol -priority 100 -nextFactor RADIUS_PolicyLabel -gotoPriorityExpression NEXT# 10. Bind the builtin Login Schema for dual factor authentication to the AAA virtual serverbind authentication vserver nFactorAuthvServer -policy lschema_dual_factor_builtin -priority 100 -gotoPriorityExpression END# 11. Create an Authentication Profile attached to the AAA virtual serveradd authentication authnProfile MFA_Authentication_Profile -authnVsName nFactorAuthvServer# 12. Configure your existing Gateway virtual server to use the Authentication Profileset vpn vserver "Steven Demo Gateway" -authnprofile "MFA_Authentication_Profile"<!--NeedCopy-->
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论