Deployment Guide: Learn how to configure NetScaler Gateway to use nFactor to authenticate against a RADIUS server for MFA
December 2, 2021
Author: Steven Wright
Overview
How to Configure NetScaler Gateway to use nFactor to authenticate against a RADIUS server for Multi Factor Authentication (MFA).
This article covers how to configure NetScaler ADC Gateway to use nFactor authentication for LDAP and RADIUS-based multifactor authentication and general troubleshooting techniques.
In this article, we assume your NetScaler ADC has a NetScaler Gateway implementation and RADIUS and LDAP servers.
This article also recommends connecting to your RADIUS and LDAP servers via local load balancing virtual servers, and assumes the load balancers have already been created. You can learn more about creating load-balancing virtual servers here and about configuring RADIUS persistence on a load balancer here.
RADIUS Communication Overview
The RADIUS communication flow begins with an Access-Request packet from the client, in this case the NetScaler ADC. The RADIUS server validates the client and authenticate the credentials received within the Access-Request. After validation, the RADIUS server responds with an Access-Accept, Reject, or a Challenge asking for further details from the user.
RADIUS servers have a list of valid clients and a shared secret for each. A RADIUS server usually ignore requests from invalid clients, but some implementations return authentication failures. The shared secret encrypts the password component of the credentials. When the shared secret is wrong, the server always rejects passwords because they don’t decrypt to the correct value.
By default, NetScaler ADC sends RADIUS authentication requests from the NSIP of the active HA node and targets a single RADIUS server.
Rather than define the NSIPs of both ADCs in an HA pair as clients on your RADIUS servers, NetScaler recommends the ADC send authentication requests via a local Load Balancing virtual server. The Load Balancing virtual server also adds resilience to your setup.
When NetScaler ADC sends RADIUS requests via a local Load Balancing virtual server, the requests leave the ADC via a SNIP. SNIPs are floating IP addresses and are only available on the current primary HA node.
When using a Load Balancing (LB) virtual server, the NSIPs of the primary and secondary HA nodes make a request to a local VIP. The LB VIP sends to the RADIUS server using the HA pair’s SNIP.
RADIUS Troubleshooting tools
While most RADIUS implementations are performed without, it can be helpful to understand the most common troubleshooting tools.
The “/tmp/aaad.debug” authentication debug pipe on the NetScaler ADC
You can view authentication events on the NetScaler ADC by entering the BSH shell with “shell” and then viewing the aaad.debug pipe with “cat /tmp/aaad.debug”.
You can find more information on “aaad.debug” here: https://support.citrix.com/article/CTX114999
NTRadPing
NTRadPing is a third-party RADIUS testing tool you can use to generate RADIUS authentication requests and watch the response. You can download NTRadPing here:
Using NTRadPing, you can send RADIUS authentication requests directly from your client to the RADIUS server and ensure that it’s fully operational. On the RADIUS server, you’ll have to define your client’s IP address and a shared secret. You’ll also need firewall rules to let your client talk to the RADIUS server.
You can also use NTRadPing to send authentication requests to the LB virtual server on the ADC, which relays them to the RADIUS server. Since these requests come from the ADC, you’ll need the same shared secret in NTRadPing as ADC. You’ll also need firewall rules to let the client talk to the ADC’s RADIUS LB virtual server.
By testing each component separately, the test will isolate where a failure is occurring. Suppose you can send successful requests manually using the ADC’s RADIUS. In that case, you know the problem is with something before that, like the RADIUS server definition on your ADC, and you can focus your efforts.
NTRadPing consists of two files that you extract into the same directory from its compressed zip. On launch, NTRadPing prompts for:
- The RADIUS server and port
- The RADIUS secret
- A user name and password
- The Authentication request type
Depending on the test you’re performing, you’ll use the RADIUS server IP address or that of the ADC’s LB virtual server as the destination. Most commonly, on port 1812.
Set a RADIUS secret for your client if you’re sending queries directly. If you’re sending queries via the ADC’s LB virtual server to imitate authentication requests from Gateway, use the same shared secret as you have configured the ADC to use. The user name and password fields contain the credentials you expect the ADC to send to the RADIUS server on your behalf. Usually, the “password” field contains the user’s MFA token value.
When you click “Send,” NTRadPing sends an authentication request from your computer to the specified destination and displays the response (typically an Access-Accept or Access-Reject).
WireShark
You can examine the RADIUS request and response inside WireShark if you take a packet trace on the NetScaler ADC during the authentication process.
WireShark is the world’s foremost and widely used network protocol analyzer. WireShark is free and available without here.
You can find WireShark’s RADIUS filter’s here.
You can find the steps to take a packet trace on a NetScaler ADC here.
In WireShark, you’ll see an Access-Request packet followed by either an Access-Accept, Access-Reject, or Access-Challenge response. Missing responses often indicate a communication problem such as absent firewall rules or the RADIUS server not having a definition for the client.
GUI Instructions
Assuming that the configuration on your RADIUS servers is already complete, follow the following steps for the MFA authentication with NetScaler Gateway:
Enable the Authentication, Authorization, and Auditing (AAA) feature
- If the AAA feature isn’t already enabled, navigate to, Security > AAA – Application Traffic, and right-click to enable the feature.
Add Authentication Servers
- Select Security > AAA – Application Traffic, Policies, Authentication, Base Policies, RADIUS.
- Select the Servers tab and then click “Add”.
- Populate details of your RADIUS server
NetScaler recommends you don’t target an individual RADIUS server, but instead, target your Load Balancing virtual server. As such, use your RADIUS LB’s VIP as the Server IP in this page. The Secret Key must match the value on your RADIUS server for the ADC’s SNIP.
- Select Security > AAA – Application Traffic, Policies, Authentication, Base Policies, LDAP. Then, select the “Servers” tab and click “Add”.
- Populate details of your LDAP target
Like RADIUS, NetScaler recommends that you use a local Load Balancing (LB) virtual server as the destination. As such, use the VIP of your LDAP LB virtual server as the Server IP on this page.
Add Advanced Authentication Policies
- Select, Security > AAA – Application Traffic, Policies, Authentication, Advanced Policies, Policy. Then, click “Add”.
- Populate the policy details as shown and then click “Create”.
- Repeat the step to create another policy for RADIUS and then click “Create”.
Create a AAA virtual server
- Navigate to Configuration > Security > AAA - Application Traffic > Virtual Servers.
- Click “Add” to create an authentication virtual server.
- Enter the following information and click OK.
- Under Certificate, select “No Server Certificate”.
- Click “Click to select” to select the server certificate
- Click the radio button next to a certificate for the AAA Virtual Server, and then click “Select”. The chosen certificate doesn’t matter because this server isn’t directly accessible.
- Click “Bind”.
- Click “Continue” to close the Certificate section.
- Click “No Authentication Policy” within “Advanced Authentication Policies”.
- Click “Click to select” under the field for “Select Policy”.
- Select the “LDAP_Pol” policy and click “Select”.
- Click “Click to select” under the field for “Select Next Factor”.
- Click “Add” within “Authentication Policy Labels”.
- Enter a name for the Policy Label the ADC uses to trigger RADIUS authentication and click “Continue”.
- Click “Click to select” under the field for “Select Policy”.
- Select the “RADIUS_Pol” policy and click “Select”.
- Click “Bind” at the bottom of the “Create Authentication Policy Label” screen.
- Click “Done” at the bottom of the “Authentication Policy Label” screen.
- Click “Select”.
- Click “Bind” at the bottom of the “Policy Binding” screen.
Recommended Comments
There are no comments to display.
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now