Introduction
The purpose of this guide is to provide guidelines on how to integrate Mideye two-factor authentication with Citrix Netscaler 12.
Prerequisites & general issues
Requirements
A Mideye Server (any release). If there is a firewall between the Citrix Netscaler and the Mideye Server, it must be open for two-way RADIUS traffic (UDP, standard port 1812). Citrix Netscaler acts as a RADIUS client towards the Mideye Server. Hence, the Citrix Netscaler must be defined as a RADIUS client on the Mideye Server. Refer to the Mideye Server Reference Guide for information on how to define a new RADIUS client.
Password-change using MS-CHAP-v2
Since Citrix Netscaler supports MS-CHAP-v2 as authentication protocol, users that are about to have their password expired can change their password when login on to the Citrix Netscaler portal. To enable this feature Mideye Server release 4.3.0 or higher is required. For detailed instruction how to enable password-management, see section Enable MS-CHAP-V2.
Prerequisites
This guide will not explain how to create a new login portal . Refer to Citrix-documentation how to setup your Netscaler to be properly configured.
Add a RADIUS-Server in WebGUI and CLI
The following steps will describe how create a new RADIUS-server on your Netscaler Server, how to apply a RADIUS-Policy followed by binding the policy on a Virtual Gateway. At the bottom of this section, all CLI-commands are available that will perform the same configuration as from the webGUI.
Add a RADIUS server.
- Navigate to NetScaler Gateway > Policies > Authentication > RADIUS
- Select Server tab and click Add.
- Name the RADIUS server: Mideye_RADIUS
- Specify the IP address of the Mideye Server.
- Use the port: 1812
- Enter the secret key specified when you added the NetScalers as RADIUS clients on the Mideye server.
- Time-Out (seconds): 35
- Click more.
- Password Encoding, choose PAP or MS-CHAP-v2 depending on your environment.
- Accounting: “OFF”.
- Authentication Server Retry: 1.
- Click Test Connection.
- If everything is working please proceed with “create”
Create an RADIUS Policy
- Navigate to NetScaler Gateway > Policies > Authentication > RADIUS.
- Select Policies tab and click Add.
- Name the RADIUS policy.
- Select the RADIUS server created earlier. (Mideye_RADIUS)
- Enter a suitable expression. Ex: ns_true
- Click create.
Bind policy to virtual gateway
- Navigate to NetScaler Gateway > Virtual Servers
- Select the Virtual Server where users login and clock edit.
- Scroll down to basic authentication and press + to add RADIUS policy.
- Choose policy (RADIUS) and Type Primary.
- Select the RADIUS policy created and bind it to the server.
Configure in CLI
CLI – Add a radius server.
add authentication radiusaction Mideye_RADIUS -serverip 172.16.0.100 \
-serverport 1812 -authtimeout 35 -radkey SUPER_SECRET_PW \
-radNASip DISABLED -authservRetry 1 -passEncoding pap
CLI – Create a RADIUS Policy
add authentication radiusPolicy Mideye_RADIUS_pol “ns_true” Mideye_RADIUS
CLI – Bind policy to Virtual Gateway
bind vpn vserver my_virtual_loginpoint -policy Mideye_RADIUS_pol -priority 101
Load balancing from WebGUI and CLI
This section describes how to add multiple Mideye servers behind one Netscaler. At the bottom of this section, all CLI-commands are available that will perform the same configuration as from the webGUI.
Enable Load balancing
- Navigate to System > Settings, Configure Basic Features.
- Select Load Balancing and click “OK”.
Create a server object
There must be at least one server object added for each Mideye Radius Server.
- Navigate to Traffic Management > Load Balancing > Servers
- Click Add and specify the information for your Mideyeservers.
- Name*: Mideye_Server1
- IPAddress: 172.16.0.100
- Click Create and Add as many MideyeServers as prefered.
Create a Load Balancing Service
For each Server Object added in section above you need to create a service.
- Navigate to Traffic Management > Load Balancing > Services
- Click Add and specify the information for the service.
- Service Name: Mideye_Server1_svc
- Click Existing Server and select previously created object
- Protocol: RADIUS
- Port: 1812
- Click Done.
Add a Monitor to the Load Balacing service
This is the monitor that checks if service is up or not. The monitor needs to logon to the Mideye Service. The monitor service checks what response code is sent from the Mideye Server. These two checks does not check the MideyeServer -> MideyeSwitch communication.
- Access Accept (0): The test user has access to the authenticated RADIUS server.
- Access Reject (1): The test user exists but is recjected by Radius Server.
- Access Reject (3): Internal Error. Account does not exist. Wrong password.
- Navigate to Traffic Management > Load Balancing > Monitors
- Click add to create a monitor. (Set Interval and Timeout times as preferred)
- Name: Mideye_RADIUS
- Type: Radius
- Destination IP: 0 (this means it takes the IP from bound service)
- Destionation port: 0 (this means it takes the Port from bound service)
- Retries: 1
- Select the Special Parameters Tab
- Remove Reponse code 2 which is default.
- Add response code 3.
- Add a fake user name. (This will show up in Mideye Server Logs)
- Add a fake password.
- Add a shared secret for the radius client that the monitor should test. This Needs to be added to MideyeServer as well since its a real Radius Client that tries to logon to the server.
- Click create to add the monitor.
Bind a monitor to a load balancing service
- Navigate to Traffic Management > Load Balancing > Services
- Click the previously created service and edit it.
- Go to the bottom of the page and add a Monitor.
- Remove the ping-default monitor binding
- Add Mideye_RADIUS monitor and click close.
- Click done and services are ready.
- When monitors are up and RADIUS traffic is reaching the MideyeServer. Both service states should be UP.
Mideyeserver are showing the monitor logs.
User: ‘fake_user’, NAS ID: ‘Netscaler’, State: ‘null’, Session ID: ’12’
Performing user authentication for user: fake_user, on NAS ID: Netscaler
Code: ‘9019’, Msg: ‘Invalid user or password.’
Could not find user ‘fake_user’
Unsuccessful authentication
GUI – Creating a virtual server.
- Navigate to Traffic Management > Load Balancing > Virtual Servers
- Click add to create a Virtual server.
- Name: Mideye_LB_vsrv
- Protocol: RADIUS
- IP Address Type*: IP IPAddress
- IP Address* :
- Port: 1812
GUI – Binding Services to the Virtual Server
- Navigate to Traffic Management > Load Balancing > Virtual Servers
- Edit the Virtual server you want to bind services to.
- Click on Load Balancing Virtual Server Service Binding.
- Bind the two Mideye LoadBalancing Services.
Add persistence setting so each server request goes to the same service.
- Set the rule to be bound to SOURCEIP.
- Click OK and Done. Refresh the Virtual Servers page and State and Servies should be marked as green.
Adding the LB radius server.
Add the LB server as RADIUS server in the Netscaler. Then bind the Server to a Virtual Gateway.
Configure in CLI
CLI – Enable Load balancing
> enable ns feature LoadBalancing
CLI – Create a server object
> add server [name] [IPAddress | [domain]
example:
> add server Mideye_Server1 52.174.122.65 > add server Mideye_Server2 13.93.2.199
CLI – Create a Load Balancing Service
> add service [name] [ServerName] [ServiceType] [port]
example:
> add service Mideye_Server1_svc Mideye_Server1 RADIUS 1812 > add service Mideye_Server2_svc Mideye_Server2 RADIUS 1812
CLI – Add a Monitor to the Load Balacing service
Look at the Official Citrix documentation for full syntax. Example needs to be one line in the Netscaler CLI. https://docs.citrix.com/ja-jp/netscaler/11/reference/netscaler-command-reference/lb/lb-monitor.html
example:
> add lb monitor Mideye_RADIUS2 RADIUS -respCode 3 -userName fake_user -password secret -encrypted -encryptmethod ENCMTHD_3 -radKey 12345678 -encrypted -encryptmethod ENCMTHD_3 -LRTM DISABLED -retries 1
CLI – Bind a Monitor to a Load Balacing service
> bind service Mideye_Server1_svc -monitorName Mideye_RADIUS > bind service Mideye_Server2_svc -monitorName Mideye_RADIUS
CLI – Creating a virtual server
> add lb vserver [name] [serviceType] [ip] [port]
example:
> add lb vserver Mideye_LB_vsrv RADIUS 172.16.3.199 1812 -persistenceType SOURCEIP -cltTimeout 120
CLI – Bind Service to Virtual Server
> bind lb vserver [name] [serviceName]
example:
> bind lb vserver Mideye_LB_vsrv Mideye_Server1_svc > bind lb vserver Mideye_LB_vsrv Mideye_Server2_svc
CLI – Verify configuration
> show server [serverName]
Add Drop-Down for multiple domain logons
- Navigate to AppExpert > Rewrite > Rewrite > Actions
- Add the domains that should be in the drop down list.
- Type: INSERT_HTTP_HEADER
- Header Name: Set-Cookie
- Expression: “userDomains=Domain1,Domain2,Domain3;path=/;Secure”
- Navigate to AppExpert > Rewrite > Rewrite > Policies
- Add the information needed as shown in the example below:
- Name: Insert_domain_dropdown_policy
- Action: Select previously created action
- Expression: HTTP.REQ.URL.CONTAINS(“/vpn/index.html”)
Add policy to Netscaler Gateway Virtual Server
- Navigate to NetScaler Gateway > NetScaler Gateway Virtual Servers.
- Edit the Virtual Server you want to add dropdown to.
- Scroll down to Policies and press + sign to bind a policy.
- Click Continue.
- Select the dropdown policy created earlier.
- Click on Bind.
- Scroll to the end of the page and click on done.
- Make sure to save the recent changes.
Connect a RADIUS policy to dropdown domain.
- Navigate to NetScaler Gateway > Policies > Authentication > Radius
- Select the RADIUS Policy that is used for Domain1
- Change the expression to mach domain name created earlier: REQ.HTTP.HEADER Cookie CONTAINS Domain1
Now the radius policy will only trigger if HTTP HEADER Cookie contains Domain1. It will contain Domain1 if user has selected Domain1 from the drop down menu.
Note: If the names are similar they can collide. Example: if domain in dropdown is named Contoso Contoso_internal Contoso_External.
The policy that is looking for Contoso will trigger on all three choices because all choices has Contoso in the name.