On Demand Citrix Nerds consulting services 24 hours a day!

Phone: 1-800-905-0005

Home > Documentation > NetScaler Integrated nFactor OTP Authentication

Installation Documentation
NetScaler Integrated nFactor OTP Authentication

enable ns feature AAA
#REM AAA feature requires advanced or enterprise license

#Create LDAP Authentication Server and Policies
#REM Substitute your own Domain Controller IP address for what for what appears here as 192.168.1.10
#REM Substitute your own LDAP Base for what for what appears here as dc=mycorp,dc-com with for example dc=domain,dc=local
#REM Substitute your own LDAP Authentication account for what for what appears here as ldapserviceacct@mycorp.com (This is an Active Directory User service account that has a password that never expires)
#REM Substitute your own domain user password for what for what appears here as Password987!
add authentication ldapAction LDAP_OTP -serverIP 192.168.1.10 -serverPort 636 -ldapBase "dc=mycorp,dc=com" -ldapBindDn ldapserviceacct@mycorp.com -ldapBindDnPassword Password987! -ldapLoginName sAMAccountName -groupAttrName memberOf -subAttributeName cn -secType SSL -passwdChange ENABLED -Attribute2 userParameters
add authentication ldapAction LDAP_OTP_set_no_auth -serverIP 192.168.1.10 -serverPort 636 -ldapBase "dc=mycorp,dc=com" -ldapBindDn ldapserviceacct@mycorp.com -ldapBindDnPassword Password987! -ldapLoginName sAMAccountName -groupAttrName memberOf -subAttributeName cn -secType SSL -authentication DISABLED -OTPSecret UserParameters
add authentication ldapAction LDAP_OTP_verify_no_auth -serverIP 192.168.1.10 -serverPort 636 -ldapBase "dc=mycorp,dc=com" -ldapBindDn ldapserviceacct@mycorp.com -ldapBindDnPassword Password987! -ldapLoginName sAMAccountName -searchFilter "userParameters>=#@" -groupAttrName memberOf -subAttributeName cn -secType SSL -authentication DISABLED -OTPSecret UserParameters
#For enhanced security create a Security Group in Active Directory named CitrixUsersExternal and add user accounts you want to permit to access Citrix remotely set authentication ldapAction LDAP_OTP_set_no_auth -searchFilter "memberOf=CN=CitrixUsersExternal,OU=Groups,DC=mycorp,DC=com"
add authentication Policy LDAP_OTP_Pol -rule true -action LDAP_OTP
add authentication Policy LDAP_OTP_Manage_Pol -rule "HTTP.REQ.COOKIE.VALUE(\"NSC_TASS\").EQ(\"manageotp\")" -action LDAP_OTP_set_no_auth
add authentication Policy LDAP_OTP_Confirm_Pol -rule true -action LDAP_OTP_verify_no_auth

#Create Login Schema's
add authentication loginSchema Dual_OTP-lschema -authenticationSchema "/nsconfig/loginschema/LoginSchema/DualAuth.xml" -passwordCredentialIndex 1 -SSOCredentials YES
add authentication loginSchema Single_Manage_OTP-lschema -authenticationSchema "/nsconfig/loginschema/LoginSchema/SingleAuthManageOTP.xml"
add authentication loginSchemaPolicy Single_Manage_OTP-lschemapol -rule "http.req.cookie.value(\"NSC_TASS\").eq(\"manageotp\")" -action Single_Manage_OTP-lschema
add authentication loginSchemaPolicy Dual_OTP-lschemapol -rule true -action Dual_OTP-lschema

#Create Policy Label's
add authentication policylabel OTP_pollabel -loginSchema LSCHEMA_INT
bind authentication policylabel OTP_pollabel -policyName LDAP_OTP_Manage_Pol -priority 100 -gotoPriorityExpression NEXT
bind authentication policylabel OTP_pollabel -policyName LDAP_OTP_Confirm_Pol -priority 110 -gotoPriorityExpression NEXT

#Create OTP Virtual Server
add authentication vserver OTP_AUTH_VSERVER SSL 0.0.0.0
bind ssl vserver OTP_AUTH_VSERVER -certkeyName SSL

#Bind Policies
bind authentication vserver OTP_AUTH_VSERVER -portaltheme RfWebUI
bind authentication vserver OTP_AUTH_VSERVER -policy Single_Manage_OTP-lschemapol -priority 100 -gotoPriorityExpression END
bind authentication vserver OTP_AUTH_VSERVER -policy Dual_OTP-lschemapol -priority 110 -gotoPriorityExpression END
bind authentication vserver OTP_AUTH_VSERVER -policy LDAP_OTP_Pol -priority 100 -nextFactor OTP_pollabel -gotoPriorityExpression NEXT

#Traffic Policy
add vpn trafficAction OTP-trafficprofile http -passwdExpression "AAA.USER.ATTRIBUTE(1)"
add vpn trafficPolicy OTP-trafficpol true OTP-trafficprofile
bind vpn vserver VirtualServer -policy OTP-trafficpol -priority 100 -gotoPriorityExpression END -type REQUEST

#Authentication Policy
add authentication authnProfile OTP-authnprofile -authnVsName OTP_AUTH_VSERVER

#Update VPN Virtual Server Authentication
unbind vpn vserver VirtualServer -policy LDAP_Pol
set vpn vserver VirtualServer -authnProfile OTP-authnprofile