Setting Up OpenOTP With Citrix Gateway
After many, many years of recommending two-factor authentication to customers for their Citrix Gateways, I finally got round to setting it up again on my home test lab.
After many, many years of recommending two-factor authentication to customers for their Citrix Gateways, I finally got round to setting it up again on my home test lab.
This section of the documentation provides the steps necessary to configure Radius Load Balancing on a Citrix NetScaler HA Pair.
As with most configurations of a NetScaler HA Pair, the configuration is only performed on the Primary Node of the pair and then replicated automatically to the Secondary Node.
Configuring Raidus Load Balancing on a Citrix NetScaler consists of the following steps which will be explained in further detail in this section :-
The first part of the configuration is to create a Radius Load Balancing Monitor on the NetScaler by performing the following steps :-
For the configuration of this test environment I used the Service Account created for the SMS2 installation
N.B. In order for this to work correctly both Radius Servers must be using expecting the same Shared Secret key
The next part of the configuration is to create the Radius Server Load Balancing Services for the two Radius Servers by performing the following steps :-
Perform the steps above to configure a Radius Server Service for the second Radius Server
The next part of the configuraiton is to create the Radius Load Balancing vServer by performing the following steps :-
o In the Rule box enter CLIENT.UDP.RADIUS.USERNAME
o Confirm that the Rule shown is CLIENT.UDP.RADIUS.USERNAME as set for the LB Method Rule
The next part of the configuraiton is to create the Radius Authenication Server and Profile by performing the following steps :-
The next part of the configuration is to apply the newly created Radius Authentication Policy to the Access Gateway vServer by performing the following steps :-
The last part of the configuration is to save the new configuration on the NetScaler by performing the following steps :-
This section of the documentation provides the steps to install SMS2 on to the same servers as the Radius Servers built for this set of articles.
In order to install the SMS2 software the following prereqiusites must be met :-
Once you have registered and downloaded the SMS2 software perform the following steps to install it :-
Configuring The AuthEngine
As part of the software installation there is some minimal configuration required for the AuthEngine, CloudSMS, and OATHCalc components. To configure the AuthEngine component perform the following steps :-
o If your AD/LDAP configuration is correct then you should see a message saying Test querying AD/LDAP server successful
o If you do not see this message re-check your AD/LDAP configuration and try again
o If your SQL configuration is correct then you should see a message saying Test SQL connection successful
o If you do not see this message re-check your SQL configuration and try again
Once you’ve completed the AuthEngine configuration you will return theWrightCCS Configuration Screen and the message next to theConfigure AuthEngine button will change to OK.
N.B. Email was not tested as part of this set of articles
Configuring CloudSMS
The next part is to configure CloudSMS by performing the following steps :-
Once you’ve completed the CloudSMS configuration you will return the WrightCCS Configuration Screen and the message next to the Configure CloudSMS button will change to OK.
N.B. CloudSMS was not tested as part of this set of articles
Configuring OATHCalc
The next part is to configure OATHCalc by performing the following steps :-
Once you’ve completed the OATHCalc configuration you will return the WrightCCS Configuration Screen and the message next to the Configure OATHCalc button will change to OK.
Once you have configured the AuthEngine, CloudSMS, and OATHCalc components and they are all listed as OK on the WrightCCS Configuration screen perform the following steps to complete the installation :-
SMS2 will now be installed
SMS2 is now installed and to complete this section perform the steps in this article on the second RADIUS Server.
The section of the documentation provides the steps required to prepare SQL and create the SMS2 Database.
At the time of writing this article and the version of SMS2 installed, it was necessary to use an SQL Account rather than a Windows Account.
The first step is to configure SQL for Mixed Mode Authentication by performing the following steps :-
The next step is to create a new blank database for the SMS2 installation by performing the following steps :-
E.G. SMS2_DB
The last step is to create a new SQL Logon for the SMS2 implementation by performing the following steps :-
E.G. sql_sms2user
This section of the documentation provides the steps required to build and configure the two Radius Servers used for this article.
The Radius Servers used for this environment were built using the Network Policy Server Role available as part of a Windows 2008 R2 Standard Edition Server installation.
The following subsections provide the steps which were performed on both Radius Servers used in this set of articles.
The first step is to install the Network Policy and Access Control Role by performing the following steps :-
The next step is to configure the Network Policy by performing the following steps :-
The next step is to configure the two Citrix NetScalers in the HA Pair as Radius Clients by performing the following steps :-
E.G. NSVPX01
Perform the steps above to add the second Citrix NetScaler as a Radius Client remembering to use it’s NSIP IP Address.
In order to build the second Radius Server in the solution perform the steps above in all three subsections.
SMS2 is a free product which uses the Google Authenticator to provide Two Factor Authentication and is predominately aimed at Citrix NetScalers.
The following pages provide the steps required to implement a Fault Tolerant Two Factor Authentication solution for a HA Pair of Citrix NetScalers and can be broken down in to the following sections which are explained further in the subsequent pages of this article :-
The test environment for this article consisted of the following :-
The Windows Servers used in this article were all built with the GUI installed and patched to the latest levels at the time of writing this article.
This article provides the steps required to disable Radius Challenge / Response on the WrightCCS SMS2 software.
The latest version of the SMS2 software available at the time of writing this was Version 20130515 which appears to be configured to perform Challenge / Response as defailt.
To disable this and allow users to enter their PIN and Token Codes together perform the following steps :-
<AuthEngineChallengeResponse>True</AuthEngineChallengeResponse>
<AuthEngineChallengeResponse>False</AuthEngineChallengeResponse>