Jump to content
Welcome to our new Citrix community!
  • Deployment Guide: Learn how to configure NetScaler Gateway to use nFactor to authenticate against a RADIUS server for MFA Part 1


    Richard Faulkner
    • Validation Status: Validated
      Summary: Deployment Guide: Learn how to configure NetScaler Gateway to use nFactor to authenticate against a RADIUS server for MFA
      Has Video?: No

    Deployment Guide: Learn how to configure NetScaler Gateway to use nFactor to authenticate against a RADIUS server for MFA

    December 2, 2021

     

    Continued on Part 2

    Author:  Steven Wright

    Overview

    How to Configure NetScaler Gateway to use nFactor to authenticate against a RADIUS server for Multi Factor Authentication (MFA).

    This article covers how to configure NetScaler ADC Gateway to use nFactor authentication for LDAP and RADIUS-based multifactor authentication and general troubleshooting techniques.

    In this article, we assume your NetScaler ADC has a NetScaler Gateway implementation and RADIUS and LDAP servers.

    This article also recommends connecting to your RADIUS and LDAP servers via local load balancing virtual servers, and assumes the load balancers have already been created. You can learn more about creating load-balancing virtual servers here and about configuring RADIUS persistence on a load balancer here.

    RADIUS Communication Overview

    The RADIUS communication flow begins with an Access-Request packet from the client, in this case the NetScaler ADC. The RADIUS server validates the client and authenticate the credentials received within the Access-Request. After validation, the RADIUS server responds with an Access-Accept, Reject, or a Challenge asking for further details from the user.

    j-qqL24ZUXpffccFZMKhIHq2QiOIXOqHMPqWx8dOzo9as4m0hXPIoUr1no0pkyQgSjW-Ht9GCAMyPl95V7VLtZxUuTo2wP4VcdYmz9PjsUhGCaZ8o0peog9inykpyoGgnhxv4SpFzOvkAGshE7Y5ROLqiBaI5tj2qnnlGwJzDMMRK3utkFACtZZNtVo66Q

    RADIUS servers have a list of valid clients and a shared secret for each. A RADIUS server usually ignore requests from invalid clients, but some implementations return authentication failures. The shared secret encrypts the password component of the credentials. When the shared secret is wrong, the server always rejects passwords because they don’t decrypt to the correct value.

    By default, NetScaler ADC sends RADIUS authentication requests from the NSIP of the active HA node and targets a single RADIUS server.

    jYn-OA5pvtm67b3CxIzxi4fxMk2y0fkNRA55bm1531Be0UTB0YrNJvSlBTQI1YprStq9qMUi_MY4RfmczZYbz1wzfxKiUerfYKiMGyfi_LPKnd6E7T2mY3LxEWYVLhld6RX_1L_og6zxVM10ahqOxHCF6Va7_F9RdIc7rS5NKxyA2sPT96s3KbhiBduAGw

    Rather than define the NSIPs of both ADCs in an HA pair as clients on your RADIUS servers, NetScaler recommends the ADC send authentication requests via a local Load Balancing virtual server. The Load Balancing virtual server also adds resilience to your setup.

    When NetScaler ADC sends RADIUS requests via a local Load Balancing virtual server, the requests leave the ADC via a SNIP. SNIPs are floating IP addresses and are only available on the current primary HA node.

    When using a Load Balancing (LB) virtual server, the NSIPs of the primary and secondary HA nodes make a request to a local VIP. The LB VIP sends to the RADIUS server using the HA pair’s SNIP.

    v82sxGIQoThloQVL0aBfqWG2m1p8VrK3hEWklc9xu7BTeZDcrUx8WxfRVgxL-GR2jcaeMBlb9j93smz0vHLU4SS0wmTc-1oz9dxiWe-FFoQmp1rNlNj0QryF10NX-NiJnal4-MnnptjkQ9c3zOtbu60o-DG5FT0iLFOI8jE-Ry4tUTDUy7KnYPJyMbL6fg

    RADIUS Troubleshooting tools

    While most RADIUS implementations are performed without, it can be helpful to understand the most common troubleshooting tools.

    The “/tmp/aaad.debug” authentication debug pipe on the NetScaler ADC

    You can view authentication events on the NetScaler ADC by entering the BSH shell with “shell” and then viewing the aaad.debug pipe with “cat /tmp/aaad.debug”.

    You can find more information on “aaad.debug” here: https://support.citrix.com/article/CTX114999

    NTRadPing

    NTRadPing is a third-party RADIUS testing tool you can use to generate RADIUS authentication requests and watch the response. You can download NTRadPing here:

    Using NTRadPing, you can send RADIUS authentication requests directly from your client to the RADIUS server and ensure that it’s fully operational. On the RADIUS server, you’ll have to define your client’s IP address and a shared secret. You’ll also need firewall rules to let your client talk to the RADIUS server.

    You can also use NTRadPing to send authentication requests to the LB virtual server on the ADC, which relays them to the RADIUS server. Since these requests come from the ADC, you’ll need the same shared secret in NTRadPing as ADC. You’ll also need firewall rules to let the client talk to the ADC’s RADIUS LB virtual server.

    By testing each component separately, the test will isolate where a failure is occurring. Suppose you can send successful requests manually using the ADC’s RADIUS. In that case, you know the problem is with something before that, like the RADIUS server definition on your ADC, and you can focus your efforts.

    4a9uNTyCGcBI71IG5fd3A5-dtdp34M_GotTdW9PKQ_lZEJRqxLMc5ei9MBqjPpkz-JuoKoN1p85nPLLL4FEzW3gfx-ky_BnLMVsS599s7X_v7TkgzOssuM1DSxE3Dj6B7DV9Wgbif0ThGus6As97Zlq7gKU44_-UDJztN__Y8q79Cf0WfDyLrYXkcOcy6g

    NTRadPing consists of two files that you extract into the same directory from its compressed zip. On launch, NTRadPing prompts for:

    • The RADIUS server and port
    • The RADIUS secret
    • A user name and password
    • The Authentication request type

    RADIUS_ntradping_image

    Depending on the test you’re performing, you’ll use the RADIUS server IP address or that of the ADC’s LB virtual server as the destination. Most commonly, on port 1812.

    Set a RADIUS secret for your client if you’re sending queries directly. If you’re sending queries via the ADC’s LB virtual server to imitate authentication requests from Gateway, use the same shared secret as you have configured the ADC to use. The user name and password fields contain the credentials you expect the ADC to send to the RADIUS server on your behalf. Usually, the “password” field contains the user’s MFA token value.

    When you click “Send,” NTRadPing sends an authentication request from your computer to the specified destination and displays the response (typically an Access-Accept or Access-Reject).

    RADIUS_ntradping_accept_image

    WireShark

    You can examine the RADIUS request and response inside WireShark if you take a packet trace on the NetScaler ADC during the authentication process.

    WireShark is the world’s foremost and widely used network protocol analyzer. WireShark is free and available without here.

    You can find WireShark’s RADIUS filter’s here.

    You can find the steps to take a packet trace on a NetScaler ADC here.

    In WireShark, you’ll see an Access-Request packet followed by either an Access-Accept, Access-Reject, or Access-Challenge response. Missing responses often indicate a communication problem such as absent firewall rules or the RADIUS server not having a definition for the client.

    GUI Instructions

    Assuming that the configuration on your RADIUS servers is already complete, follow the following steps for the MFA authentication with NetScaler Gateway:

    Enable the Authentication, Authorization, and Auditing (AAA) feature

    1. If the AAA feature isn’t already enabled, navigate to, Security > AAA – Application Traffic, and right-click to enable the feature.

      Enable_AAA_image

    Add Authentication Servers

    1. Select Security > AAA – Application Traffic, Policies, Authentication, Base Policies, RADIUS.

      Navigate_to_RADIUS_server_image

       

    2. Select the Servers tab and then click “Add”.

      Navigate_to_RADIUS_server_image

       

    3. Populate details of your RADIUS server

       

      NetScaler recommends you don’t target an individual RADIUS server, but instead, target your Load Balancing virtual server. As such, use your RADIUS LB’s VIP as the Server IP in this page. The Secret Key must match the value on your RADIUS server for the ADC’s SNIP. Enable_AAA_image

       

    4. Select Security > AAA – Application Traffic, Policies, Authentication, Base Policies, LDAP. Then, select the “Servers” tab and click “Add”.

      LDAP_server_image

       

    5. Populate details of your LDAP target

      Like RADIUS, NetScaler recommends that you use a local Load Balancing (LB) virtual server as the destination. As such, use the VIP of your LDAP LB virtual server as the Server IP on this page. RADIUS_server_details1_image RADIUS_server_details2_image

       

    Add Advanced Authentication Policies

    1. Select, Security > AAA – Application Traffic, Policies, Authentication, Advanced Policies, Policy. Then, click “Add”.

      RADIUS_select_advanced_image

       

    2. Populate the policy details as shown and then click “Create”.

      RADIUS_server_details_image

       

    3. Repeat the step to create another policy for RADIUS and then click “Create”.

      LDAP_auth_pol_image

       

    Create a AAA virtual server

    1. Navigate to Configuration > Security > AAA - Application Traffic > Virtual Servers.

      RADIUS_auth_pol_image

       

    2. Click “Add” to create an authentication virtual server.

      AAA_virtual server_add_image

       

    3. Enter the following information and click OK.
      • Name - Name for the AAA virtual server.
      • IP address Type - Change the IP address Type to Non-Addressable as this virtual server is used only for NetScaler Gateway.

        AAA_virtual server_details_image

    4. Under Certificate, select “No Server Certificate”.

      AAA_virtual server_cert1_image

       

    5. Click “Click to select” to select the server certificate

      AAA_cert_binding_image

       

    6. Click the radio button next to a certificate for the AAA Virtual Server, and then click “Select”. The chosen certificate doesn’t matter because this server isn’t directly accessible.

      AAA_cert_binding2_image

       

    7. Click “Bind”.

      AAA_cert_binding3_image

       

    8. Click “Continue” to close the Certificate section.

      AAA_cert_binding4_image

       

    9. Click “No Authentication Policy” within “Advanced Authentication Policies”.

      AAA_virtual server_auth_image

       

    10. Click “Click to select” under the field for “Select Policy”.

      AAA_virtual server_auth2_image

       

    11. Select the “LDAP_Pol” policy and click “Select”.

      AAA_virtual server_auth3_image

       

    12. Click “Click to select” under the field for “Select Next Factor”.

      AAA_virtual server_auth4_image

       

    13. Click “Add” within “Authentication Policy Labels”.

      AAA_virtual server_auth5_image

       

    14. Enter a name for the Policy Label the ADC uses to trigger RADIUS authentication and click “Continue”.

      AAA_virtual server_create_pol_image

       

    15. Click “Click to select” under the field for “Select Policy”.

      AAA_virtual server_pols1_image

       

    16. Select the “RADIUS_Pol” policy and click “Select”.

      AAA_virtual server_pols2_image

       

    17. Click “Bind” at the bottom of the “Create Authentication Policy Label” screen.

      AAA_virtual server_create_pol_image

       

    18. Click “Done” at the bottom of the “Authentication Policy Label” screen.

      AAA_virtual server_radius_pol1_image

       

    19. Click “Select”.

      AAA_virtual server_radius_pol2_image

       

    20. Click “Bind” at the bottom of the “Policy Binding” screen.

      AAA_virtual server_pollab_image

    Continued on Part 2

     


    User Feedback

    Recommended Comments

    There are no comments to display.



    Create an account or sign in to comment

    You need to be a member in order to leave a comment

    Create an account

    Sign up for a new account in our community. It's easy!

    Register a new account

    Sign in

    Already have an account? Sign in here.

    Sign In Now

×
×
  • Create New...