Citrix Netscaler 12

Introduction

The purpose of this guide is to provide guidelines on how to integrate Mideye two-factor authentication with Citrix Netscaler 12.

Prerequisites & general issues

Requirements

A Mideye Server (any release). If there is a firewall between the Citrix Netscaler and the Mideye Server, it must be open for two-way RADIUS traffic (UDP, standard port 1812). Citrix Netscaler acts as a RADIUS client towards the Mideye Server. Hence, the Citrix Netscaler must be defined as a RADIUS client on the Mideye Server. Refer to the Mideye Server Reference Guide for information on how to define a new RADIUS client.

Password-change using MS-CHAP-v2

Since Citrix Netscaler supports MS-CHAP-v2 as authentication protocol, users that are about to have their password expired can change their password when login on to the Citrix Netscaler portal. To enable this feature Mideye Server release 4.3.0 or higher is required. For detailed instruction how to enable password-management, see section Enable MS-CHAP-V2.

Prerequisites

This guide will not explain how to create a new login portal . Refer to Citrix-documentation how to setup your Netscaler to be properly configured.

Add a RADIUS-Server in WebGUI and CLI

The following steps will describe how create a new RADIUS-server on your Netscaler Server, how to apply a RADIUS-Policy followed by binding the policy on a Virtual Gateway. At the bottom of this section, all CLI-commands are available that will perform the same configuration as from the webGUI.

Add a RADIUS server.

  • Navigate to NetScaler Gateway > Policies > Authentication > RADIUS
Configuration menu

Configuration menu

  • Select Server tab and click Add.
Add a RADIUS-server

Add a RADIUS-server

Configure settings.

Configure settings.

  • Name the RADIUS server: Mideye_RADIUS
  • Specify the IP address of the Mideye Server.
  • Use the port: 1812
  • Enter the secret key specified when you added the NetScalers as RADIUS clients on the Mideye server.
  • Time-Out (seconds): 35
  • Click more.
  • Password Encoding, choose PAP or MS-CHAP-v2 depending on your environment.
  • Accounting: “OFF”.
  • Authentication Server Retry: 1.
  • Click Test Connection.
  • If everything is working please proceed with “create”

Create an RADIUS Policy

  • Navigate to NetScaler Gateway > Policies > Authentication > RADIUS.
Create a RADIUS policy

Create a RADIUS policy

  • Select Policies tab and click Add.
Add a policy

Add a policy

  • Name the RADIUS policy.
  • Select the RADIUS server created earlier. (Mideye_RADIUS)
  • Enter a suitable expression. Ex: ns_true
  • Click create.
Give the policy a name, choose RADIUS server and add a suitable expression

Give the policy a name, choose RADIUS server and add a suitable expression

Bind policy to virtual gateway

  • Navigate to NetScaler Gateway > Virtual Servers
Navigate to virtual server

Navigate to virtual server

  • Select the Virtual Server where users login and clock edit.
Select virtual server

Select virtual server

  • Scroll down to basic authentication and press + to add RADIUS policy.
Basic authentication

Basic authentication

  • Choose policy (RADIUS) and Type Primary.
Choose type

Choose type

  • Select the RADIUS policy created and bind it to the server.
Select policy

Select policy

Configure in CLI

CLI – Add a radius server.

add authentication radiusaction Mideye_RADIUS -serverip 172.16.0.100 \
-serverport 1812 -authtimeout 35 -radkey SUPER_SECRET_PW \
-radNASip DISABLED -authservRetry 1 -passEncoding pap

CLI – Create a RADIUS Policy

add authentication radiusPolicy Mideye_RADIUS_pol “ns_true” Mideye_RADIUS

CLI – Bind policy to Virtual Gateway

bind vpn vserver my_virtual_loginpoint -policy Mideye_RADIUS_pol -priority 101

Load balancing from WebGUI and CLI

This section describes how to add multiple Mideye servers behind one Netscaler. At the bottom of this section, all CLI-commands are available that will perform the same configuration as from the webGUI.

Enable Load balancing

  • Navigate to System > Settings, Configure Basic Features.
Navigate to Basic Features

Navigate to Basic Features

  • Select Load Balancing and click “OK”.
Enable load balancing

Enable load balancing

Create a server object

There must be at least one server object added for each Mideye Radius Server.

  • Navigate to Traffic Management > Load Balancing > Servers
Add Radius Server

Add Radius Server

  • Click Add and specify the information for your Mideyeservers.
    • Name*: Mideye_Server1
    • IPAddress: 172.16.0.100
  • Click Create and Add as many MideyeServers as prefered.
Server configuration

Server configuration

Create a Load Balancing Service

For each Server Object added in section above you need to create a service.

  • Navigate to Traffic Management > Load Balancing > Services
Specify information for service

Specify information for service

  • Click Add and specify the information for the service.
    • Service Name: Mideye_Server1_svc
    • Click Existing Server and select previously created object
    • Protocol: RADIUS
    • Port: 1812
  • Click Done.
Finalize the service

Finalize the service

Add a Monitor to the Load Balacing service

This is the monitor that checks if service is up or not. The monitor needs to logon to the Mideye Service. The monitor service checks what response code is sent from the Mideye Server. These two checks does not check the MideyeServer -> MideyeSwitch communication.

  • Access Accept (0): The test user has access to the authenticated RADIUS server.
  • Access Reject (1): The test user exists but is recjected by Radius Server.
  • Access Reject (3): Internal Error. Account does not exist. Wrong password.

 

  • Navigate to Traffic Management > Load Balancing > Monitors
Add a monitor

Add a monitor

  • Click add to create a monitor. (Set Interval and Timeout times as preferred)
    • Name: Mideye_RADIUS
    • Type: Radius
    • Destination IP: 0 (this means it takes the IP from bound service)
    • Destionation port: 0 (this means it takes the Port from bound service)
    • Retries: 1
  • Select the Special Parameters Tab
    • Remove Reponse code 2 which is default.
    • Add response code 3.
    • Add a fake user name. (This will show up in Mideye Server Logs)
    • Add a fake password.
    • Add a shared secret for the radius client that the monitor should test. This Needs to be added to MideyeServer as well since its a real Radius Client that tries to logon to the server.
  • Click create to add the monitor.
Create monitor

Create monitor

Bind a monitor to a load balancing service

  • Navigate to Traffic Management > Load Balancing > Services
Bind monitor to service

Bind monitor to service

  • Click the previously created service and edit it.
  • Go to the bottom of the page and add a Monitor.
Add the monitor

Add the monitor

  • Remove the ping-default monitor binding
Remove ping monitor

Remove ping monitor

  • Add Mideye_RADIUS monitor and click close.
  • Click done and services are ready.
Add monitor

Add monitor

  • When monitors are up and RADIUS traffic is reaching the MideyeServer. Both service states should be UP.
Verify that State is up

Verify that State is up

Mideyeserver are showing the monitor logs.

User: ‘fake_user’, NAS ID: ‘Netscaler’, State: ‘null’, Session ID: ’12’
Performing user authentication for user: fake_user, on NAS ID: Netscaler
Code: ‘9019’, Msg: ‘Invalid user or password.’
Could not find user ‘fake_user’
Unsuccessful authentication

GUI – Creating a virtual server.

  • Navigate to Traffic Management > Load Balancing > Virtual Servers
Create a virtual Server

Create a virtual Server

  • Click add to create a Virtual server.
    • Name: Mideye_LB_vsrv
    • Protocol: RADIUS
    • IP Address Type*: IP IPAddress
    • IP Address* :
    • Port: 1812
Add a virtual Server

Add a virtual Server

GUI – Binding Services to the Virtual Server

  • Navigate to Traffic Management > Load Balancing > Virtual Servers
  • Edit the Virtual server you want to bind services to.
Edit the virtual Server

Edit the virtual Server

  • Click on Load Balancing Virtual Server Service Binding.
Loadbalance the virtual server

Loadbalance the virtual server

  • Bind the two Mideye LoadBalancing Services.
Bind the two services

Bind the two services

Add persistence setting so each server request goes to the same service.

Make the server requests persistence

Make the server requests persistence

  • Set the rule to be bound to SOURCEIP.
Change persistence to "SOURCEIP"

Change persistence to “SOURCEIP”

  • Click OK and Done. Refresh the Virtual Servers page and State and Servies should be marked as green.

Adding the LB radius server.

Add the LB server as RADIUS server in the Netscaler. Then bind the Server to a Virtual Gateway.

Configure in CLI

CLI – Enable Load balancing

> enable ns feature LoadBalancing

CLI – Create a server object

> add server [name] [IPAddress | [domain]

example:

> add server Mideye_Server1 52.174.122.65

> add server Mideye_Server2 13.93.2.199

CLI – Create a Load Balancing Service

> add service [name] [ServerName] [ServiceType] [port]

example:

> add service Mideye_Server1_svc Mideye_Server1 RADIUS 1812
> add service Mideye_Server2_svc Mideye_Server2 RADIUS 1812

 

CLI – Add a Monitor to the Load Balacing service

Look at the Official Citrix documentation for full syntax. Example needs to be one line in the Netscaler CLI. https://docs.citrix.com/ja-jp/netscaler/11/reference/netscaler-command-reference/lb/lb-monitor.html

example:

> add lb monitor Mideye_RADIUS2 RADIUS -respCode 3 -userName fake_user
 -password secret -encrypted -encryptmethod ENCMTHD_3 -radKey 12345678
 -encrypted -encryptmethod ENCMTHD_3 -LRTM DISABLED -retries 1

CLI – Bind a Monitor to a Load Balacing service

> bind service Mideye_Server1_svc -monitorName Mideye_RADIUS
> bind service Mideye_Server2_svc -monitorName Mideye_RADIUS

CLI – Creating a virtual server

> add lb vserver [name] [serviceType] [ip] [port]

example:

> add lb vserver Mideye_LB_vsrv RADIUS 172.16.3.199 1812
 -persistenceType SOURCEIP -cltTimeout 120

CLI – Bind Service to Virtual Server

> bind lb vserver [name] [serviceName]

example:

> bind lb vserver Mideye_LB_vsrv Mideye_Server1_svc
> bind lb vserver Mideye_LB_vsrv Mideye_Server2_svc

CLI – Verify configuration

> show server [serverName]

Add Drop-Down for multiple domain logons

  • Navigate to AppExpert > Rewrite > Rewrite > Actions
  • Add the domains that should be in the drop down list.
    • Type: INSERT_HTTP_HEADER
    • Header Name: Set-Cookie
    • Expression: “userDomains=Domain1,Domain2,Domain3;path=/;Secure”
Add domain

Add domain

  • Navigate to AppExpert > Rewrite > Rewrite > Policies
  • Add the information needed as shown in the example below:
    • Name: Insert_domain_dropdown_policy
    • Action: Select previously created action
    • Expression: HTTP.REQ.URL.CONTAINS(“/vpn/index.html”)
Add policy

Add policy

Add policy to Netscaler Gateway Virtual Server

  • Navigate to NetScaler Gateway > NetScaler Gateway Virtual Servers.
  • Edit the Virtual Server you want to add dropdown to.
  • Scroll down to Policies and press + sign to bind a policy.
Add the policy to Netscaler Gateway

Add the policy to Netscaler Gateway

  • Click Continue.
  • Select the dropdown policy created earlier.
Bind the policy

Bind the policy

  • Click on Bind.
  • Scroll to the end of the page and click on done.
  • Make sure to save the recent changes.

Connect a RADIUS policy to dropdown domain.

  • Navigate to NetScaler Gateway > Policies > Authentication > Radius
  • Select the RADIUS Policy that is used for Domain1
    • Change the expression to mach domain name created earlier: REQ.HTTP.HEADER Cookie CONTAINS Domain1
Connect the policy

Connect the policy

Now the radius policy will only trigger if HTTP HEADER Cookie contains Domain1. It will contain Domain1 if user has selected Domain1 from the drop down menu.

Note: If the names are similar they can collide. Example: if domain in dropdown is named Contoso Contoso_internal Contoso_External.
The policy that is looking for Contoso will trigger on all three choices because all choices has Contoso in the name.