Tag Archives: Radius

SMS2 4 – Configuring Citrix NetScaler Radius Load Balancing

SMS2 4 – Configuring Citrix NetScaler Radius Load Balancing

This section of the documentation provides the steps necessary to configure Radius Load Balancing on a Citrix NetScaler HA Pair.

As with most configurations of a NetScaler HA Pair, the configuration is only performed on the Primary Node of the pair and then replicated automatically to the Secondary Node.

Configuring Raidus Load Balancing on a Citrix NetScaler consists of the following steps which will be explained in further detail in this section :-

  1. Creating a Radius Load Balancing Monitor
  2. Creating the Radius Server Servicies
  3. Creating a Radius Load Balancing vServer
  4. Creating a Radius Authentication Server and Profile
  5. Applying the Radius Profile to the Access Gateway vServer
  6. Saving the new configuration

Creating a Radius Load Balancing Monitor

The first part of the configuration is to create a Radius Load Balancing Monitor on the NetScaler by performing the following steps :-

  • Logon to the Primary Node NetScaler Web Gui as an AdministrativeAccount
  • Expand the Load Balancing branch in the Left Hand pane
  • Click on the Monitors branch under Load Balancing and then click on the Add button
  • When prompted enter a Name for the new Monitor
  • Click on the Special Parameters tab and set the User Name to anAccount on the Active Directory Domain.

For the configuration of this test environment I used the Service Account created for the SMS2 installation

  • Set the Password to the Password of the Active Directory Account choosen
  • Set the Radius Key to the Shared Secret Key set up on the Radius Servers

N.B. In order for this to work correctly both Radius Servers must be using expecting the same Shared Secret key

  • Under the Response Codes section click on Add, select 3-Access-Reject from the list, and then click on Add
  • Click on OK to create the new Radius Load Balancing Monitor

Creating the Radius Server Services

The next part of the configuration is to create the Radius Server Load Balancing Services for the two Radius Servers by performing the following steps :-

  • If necessary, Expand the Load Balancing branch in the Left Hand pane
  • Click on the Services branch under Load Balancing and then click on the Add button
  • When prompted enter a Service Name for the new Service
  • Set the Server to the IP Address of the Radius Server
  • Set the Protocol to RADIUS and the Port to 1812
  • Select the newly created Radius Monitor the list of Available Monitors and click on Add to apply it to the Service
  • Click on OK to create the new Radius Server Service

Perform the steps above to configure a Radius Server Service for the second Radius Server

Creating A Radius Load Balancing vServer

The next part of the configuraiton is to create the Radius Load Balancing vServer by performing the following steps :-

  • If necessary, Expand the Load Balancing branch in the Left Hand pane
  • Click on the Virtual Servers branch under Load Balancing and then click on the Add button
  • When prompted enter a Name for the new Virtual Server
  • Set the Protocol to RADIUS and the Port to 1812
  • Set the IP Address to the address required for the new Virtual Server
  • In the Services Section select both the newly created Radius Services created in the previous section
  • Click on the Method and Persistence tab
  • Under the LB Method section change the Method to Token

o    In the Rule box enter CLIENT.UDP.RADIUS.USERNAME

  • Under the Persistence section change the Persistence to RULE

o    Confirm that the Rule shown is CLIENT.UDP.RADIUS.USERNAME as set for the LB Method Rule

  • Click on Create to create the new Radius Load Balancing vServer

Creating a Radius Authentication Server and Profile

The next part of the configuraiton is to create the Radius Authenication Server and Profile by performing the following steps :-

  • Expand the Access Gateway branch in the Left Hand pane
  • Expand the Policies branch and then the Authentication branch
  • Click on the Radius branch and then click on the Servers tab
  • Click on the Add button and when prompted enter a Name for theAuthentication Server
  • Set the IP Address to the IP Address of the Radius Load Balancing vServer created in the previous section
  • If necessary, set the Port to 1812
  • Enter the Radius Shared Secret configured for the NetScaler in both the Secret Key and Confirm Secret Key settings
  • Click on Create to create the new Radius Authentication Server
  • Click on the Policies Tab and then click on the Add button
  • When prompted enter a Name for the new Radius Authentication Policy
  • Select the Radius Server created in the previous steps as the Server
  • Set the Expression to ns_true
  • Click on Create to create the new Radius Authentication Policy

Applying the Radius Authentication Profile to the Access Gateway vServer

The next part of the configuration is to apply the newly created Radius Authentication Policy to the Access Gateway vServer by performing the following steps :-

  • If necessary, Expand the Access Gateway branch in the Left Hand pane
  • Click on the Virtual Server branch and then open the Virtual Serveryou wish to apply Radius Authentication to
  • Click on the Authentication Tab and then under the Authentication Policies section click on Secondary
  • Click on the Insert Policy button and select the Radius Profile created in the previous section
  • Click on OK to apply the changes

Saving the configuration

The last part of the configuration is to save the new configuration on the NetScaler by performing the following steps :-

  • Click on the Save button and when prompted “Do you want to save the running configuration?” click on Yes
  • Once the configuration is saved and you are prompted “Configuration Saved Successfully” click on OK

SMS2 3 – Installing SMS2

SMS2 3 – Installing SMS2

This section of the documentation provides the steps to install SMS2 on to the same servers as the Radius Servers built for this set of articles.

Pre-Requisites

In order to install the SMS2 software the following prereqiusites must be met :-

  • .NET Framework 4.0 is installed on the servers
  • A Service Account has been created on the Domain
  • A blank SQL Database and an SQL User configured to allow access to the blank database

Installing The Software

Once you have registered and downloaded the SMS2 software perform the following steps to install it :-

  • Logon to the Server as an Administrative Account on the Domain
  • Execute the SMS2 installation MSI package
  • At the Welcome Screen click on Next to continue
  • When prompted, select a Custom Install and then click on Next to continue
  • Expand the components list and if not already selected, select all three options AuthEngineCloudSMS, and OATHCalc under Services
  • Under Clients select IAS Radius Client and then click on Next to continue
  • If necessary, change the Installation Directory by clicking on theBrowse button and then click on Next to continue

Configuring The AuthEngine

As part of the software installation there is some minimal configuration required for the AuthEngine, CloudSMS, and OATHCalc components.  To configure the AuthEngine component perform the following steps :-

  • When prompted to configure the AuthEngineCloudSMS, and OATHCalc click on the AuthEngine button
  • When prompted, paste in your license key and then click on the Check License button.
  • Once the license has been verified click on OK to close the License Expiry dialog box and then click on Next to continue
  • Under the Network Bindings section change the AuthEngine Address to the IP Address of your Server
  • Under the Active Directory section change the AD/LDAP Server to the IP Address of your Domain Controller
  • Set the AD/LDAP Query Account to the Service Account created on the Domain
  • Set the AD/LDAP Password to the required password of the Service Account created on the Domain
  • Under the Domain Options section change the Default Domain Name to the FQDN of the Domain
  • Click on the Test AD/LDAP Config button and then click on OK to close the Test Results dialog box

o    If your AD/LDAP configuration is correct then you should see a message saying Test querying AD/LDAP server successful

o    If you do not see this message re-check your AD/LDAP configuration and try again

  • Click on Next to continue and move on to the SQL Configuration
  • When prompted, change the SQL Server Address to the IP Address of your SQL Server
  • Change the SQL Username to the SQL User created to access the database
  • Change the SQL Password to the Password set for the SQL User created to access the database
  • Change the Database Name to the name of the Blank Database created
  • Click on the Test Connection button and then click on OK to close theTest Results dialog box

o    If your SQL configuration is correct then you should see a message saying Test SQL connection successful

o    If you do not see this message re-check your SQL configuration and try again

  • Click on Next to continue and move on to the Email Configuration
  • When prompted, click on the Finish button to complete theAuthEngine configuration

Once you’ve completed the AuthEngine configuration you will return theWrightCCS Configuration Screen and the message next to theConfigure AuthEngine button will change to OK.

N.B. Email was not tested as part of this set of articles

Configuring CloudSMS

The next part is to configure CloudSMS by performing the following steps :-

  • On the WrightCCS Configuration Screen click on the Configure CloudSMS button
  • On the CloudSMS Module Parameters screen click on Finish

Once you’ve completed the CloudSMS configuration you will return the WrightCCS Configuration Screen and the message next to the Configure CloudSMS button will change to OK.

N.B. CloudSMS was not tested as part of this set of articles

Configuring OATHCalc

The next part is to configure OATHCalc by performing the following steps :-

  • On the WrightCCS Configuration Screen click on the Configure OATHCalc button
  • On the OATHCalc Configuration Screen click on Finish

Once you’ve completed the OATHCalc configuration you will return the WrightCCS Configuration Screen and the message next to the Configure OATHCalc button will change to OK.

Completing The Software

Once you have configured the AuthEngine, CloudSMS, and OATHCalc components and they are all listed as OK on the WrightCCS Configuration screen perform the following steps to complete the installation :-

  • Click on Next
  • At the Ready to install screen click on the Install button

SMS2 will now be installed

  • Once the installation has completed click on the Finish button

SMS2 is now installed and to complete this section perform the steps in this article on the second RADIUS Server.

SMS2 2 – Preparing SQL And Creating The Database

SMS2 2 – Preparing SQL And Creating The Database

Preparing SQL And Creating The Database

The section of the documentation provides the steps required to prepare SQL and create the SMS2 Database.

At the time of writing this article and the version of SMS2 installed, it was necessary to use an SQL Account rather than a Windows Account.

Configuring SQL For Mixed Mode Authentication

The first step is to configure SQL for Mixed Mode Authentication by performing the following steps :-

  • Logon to the SQL Server as an Administrative Account on the Domain
  • Open the SQL Server Management Studio and connect to theDatabase Engine as an Administrative Account
  • Right Click on the Server Name and select Properties
  • Click on the Security branch
  • Under the Server authentication section select SQL Server and Windows Authentication mode
  • Click on OK to close the Server Properties
  • Restart the SQL Server Service to apply the change

Creating The Database

The next step is to create a new blank database for the SMS2 installation by performing the following steps :-

  • Right Click on the Databases branch in the Left Hand Pane and select New Database
  • When prompted, enter the Database name required

E.G. SMS2_DB

  • Set any other options you require and then click on OK to create the database

Creating The SQL Logon For SMS2

The last step is to create a new SQL Logon for the SMS2 implementation by performing the following steps :-

  • In the SQL Server Management Console expand the Security branch in the Left Hand Pane
  • Right Click on the Logins option and select New Login
  • When prompted, enter the Login name required

E.G. sql_sms2user

  • Set the Default database to the SMS2 Database
  • Click on the User Mapping option in the Left Hand Pane
  • Locate the SMS2 Database and grant the new user db_owner Role Membership
  • Click on OK to create the new user

SMS2 1 – Building The Radius Servers

SMS2 1 – Building The Radius Servers

This section of the documentation provides the steps required to build and configure the two Radius Servers used for this article.

The Radius Servers used for this environment were built using the Network Policy Server Role available as part of a Windows 2008 R2 Standard Edition Server installation.

The following subsections provide the steps which were performed on both Radius Servers used in this set of articles.

Installing The Network Policy and Access Services Role

The first step is to install the Network Policy and Access Control Role by performing the following steps :-

  • Logon to the server as an Administrative Account in the Domain
  • Open the Server Manager and then click on Roles in the Left Hand Pane
  • Click on the Add Roles button on the Right Hand Side
  • When prompted, select the Network Policy and Access Services Role and then click on Next to continue
  • When prompted, select the Network Policy Server Role Service only and then click on Next to continue
  • When prompted, click on Install to install the new Role
  • Once completed, click on Finish and then close the Server Manager console

Configuring The Network Policy Server

The next step is to configure the Network Policy by performing the following steps :-

  • Open the Network Policy Server console
  • Expand the Policies branch in the Left Hand Pane
  • Click on the Network Policies section and then Double Click on theConnections to other access servers policy
  • Change the Access Permission to Grant access. Grant access if the connection request matches this policy
  • Click on Apply and then OK to enable the policy

Configuring The Radius Clients

The next step is to configure the two Citrix NetScalers in the HA Pair as Radius Clients by performing the following steps :-

  • Expand the RADIUS Clients and Servers branch in the Left Hand Pane
  • Right Click on the RADIUS Clients section and select New
  • When prompted, provide a Friendly Name for the Radius Client

E.G. NSVPX01

  • Configure the Address (IP or DNS) option as the NetScaler NSIP IP Address
  • Set a Manual Shared Secret and confirm this in the Confirm shared secret option
  • Click on OK to add the new Radius Client.

Perform the steps above to add the second Citrix NetScaler as a Radius Client remembering to use it’s NSIP IP Address.

In order to build the second Radius Server in the solution perform the steps above in all three subsections.

SMS2 – Introduction

SMS2 – Introduction

SMS2 is a free product which uses the Google Authenticator to provide Two Factor Authentication and is predominately aimed at Citrix NetScalers.

The following pages provide the steps required to implement a Fault Tolerant Two Factor Authentication solution for a HA Pair of Citrix NetScalers and can be broken down in to the following sections which are explained further in the subsequent pages of this article :-

  1. Building The Radius Servers
  2. Preparing SQL And Creating The Database
  3. Installing SMS2
  4. Configuring Citrix NetScaler Radius Load Balancing
  5. Creating A Test User

Test Environment

The test environment for this article consisted of the following :-

  • W2K8DOM01 – Domain Controller
  • W2K8SQL01 – SQL Server
  • W2K8RAD01 – Radius Server
  • W2K8RAD02 – Radius Server
  • NSVPX01 – Citrix NetScaler (HA Pair Primary)
  • NSVPX02 – Citrix NetScaler (HA Pair Secondary)
  • W2K8Domain.Local – Windows 2012 Active Directory Domain

The Windows Servers used in this article were all built with the GUI installed and patched to the latest levels at the time of writing this article.

SMS2 – Disabling Radius Challenge / Response

Disabling Radius Challenge / Response

This article provides the steps required to disable Radius Challenge / Response on the WrightCCS SMS2 software.

The latest version of the SMS2 software available at the time of writing this was Version 20130515 which appears to be configured to perform Challenge / Response as defailt.

To disable this and allow users to enter their PIN and Token Codes together perform the following steps :-

  • Logon to the SMS2 server as an Administrative account
  • Navigate to the SMS2 Settings C:\Program Files\WrightCCS\Settings folder in Windows Explorer
  • Edit the settings file Configuration.xml 
  • Search the file for the line below:-

<AuthEngineChallengeResponse>True</AuthEngineChallengeResponse>

  • Modify the line above and change it from False to True as shown below :-

<AuthEngineChallengeResponse>False</AuthEngineChallengeResponse>

  • Save and Exit the file
  • Restart the Wright AuthEngine Service