<img height="1" width="1" style="display:none;" alt="" src="https://dc.ads.linkedin.com/collect/?pid=76180&amp;fmt=gif">
background

RoundTower Blog

How to Deploy Two-Factor Authentication Using DUO on NetScaler

roundtower_duo_2fa

Now that dual factor authentication is becoming the norm in many organizations, I decided to deploy 2FA in my home lab. There are many 2FA products out there like RSA, Microsoft Radius, DUO, OKTA and the likes. I decided to go with DUO. DUO is full featured for enterprise deployments and it has a free version for SE’s like myself that want to learn the technology. Below you will find the steps that I did to configure DUO in my lab. I already had a working NetScaler that front-ends my Citrix XenApp v7.15 LTSR environment, so the steps below are concentrated on adding the DUO 2FA authentication piece only.

 

NetScaler and DUO configuration

DUO 2 Factor Authentication

Reference Articles: 

https://www.mycugc.org/blog/configuring-duo-integration-with-netscaler

https://duo.com/docs/citrix_netscaler-alt

http://www.carlstalhood.com/netscaler-gateway-12-radius-authentication/

Configure the Proxy

  • **Note: Remember to only open the authproxy.cfg with WordPad or Notepad++. Regular Notepad has been known to corrupt the file by putting in unrecognizable carriage returns.
  • Build out the Authproxy config file.

 

[ad_client]

host=x.x.x.x

service_account_username=duo_service (Type in the service account name here)

service_account_password=(Type in the service account password here)

search_dn=OU=Users,OU=Home,DC=Domain,DC=com

 

[radius_server_iframe]

type=citrix_netscaler

ikey=xxxxxxxxxxxxx (Put in the iKey password from the DUO ADMIN portal here)

skey=xxxxxxxxxxxxx (Put in the sKey password from the DUO ADMIN portal here)

api_host=api-9c3aeb2c.duosecurity.com

failmode=safe

client=ad_client

radius_ip_1=x.x.x.x

radius_secret_1=secretkey1234

port=1812

 

[radius_server_auto]

ikey=xxxxxxxxxxxxxxxxxx (Put in the iKey password from the DUO ADMIN portal here)

skey=xxxxxxxxxxxxxxxxxx (Put in the sKey password from the DUO ADMIN portal here)

api_host=api-9c3aeb2c.duosecurity.com

failmode=safe

client=ad_client

radius_ip_1=x.x.x.x (Put in the IP address of your Radius server)

radius_secret_1=secretkey1234

port=18120

 

Configure the primary and secondary authentication policies on the NetScaler

  • Keep in mind, on the policy sections you need to account for traffic coming into the NetScaler from a web browser as well as Citrix receiver.

Navigate to NetScaler Gateway/Policies/Authentication/LDAP

  • Create an LDAP server
  • Click on the server’s tab
  • Fill out the fields below. If you have an SSL cert on your domain controllers, then change security type to SSL and port to 636. This is definitely a best practice.

 Configure Authentication LDAP Server

  • Create a Radius server

 

Navigate to NetScaler Gateway/Policies/Authentication/RADIUS

  • Click on the Servers Tab
  • Click Add

Authentication Servers 

  • Chose server type RADIUS
  • Name the Server(s)
  • Enter the secret key specified when you added the NetScaler’s RADIUS clients on the Radius server.
  • Test Connection
  • Scroll down and click create. 

Create Authentication RADIUS Server

Configure Authentication RADIUS Server 

  • Now create another RADIUS server for Receiver traffic.

Create Authentication RADIUS Server 

Configure Authentication RADIUS Server 

  • Keep in mind, on the DUO CitrixReceiver server, you check the send calling station ID checkbox. It is NOT checked on the DUO Citrix Web server

Create authentication policies for both LDAP, if not already configured, and RADIUS

  • Click on the Policy tab and create two LDAP policies one for Web access and the other for receiver access similar to below
  • Click on the Policy tab and create two RADIUS policies one for Web access and the other for receiver access similar to below
  • The only difference in the two policies is the operator field. In the Web policy for both LDAP and RADIUS the Operator will be NOTCONTAINS, whereas, the Receiver policy will say CONTAINS.

 Add Expression

 

LDAP Settings RADIUS Settings

 

Bind the Two-factor policies to Gateway

  • Now you need to bind all (4) policies to the authentication policies to your NetScaler Virtual Server
  • On the Primary Authentication you bind the following:
    • LDAP Web policy
    • Radius Receiver policy
  • On the Secondary Authentication you bind the following:
    • LDAP Receiver policy
    • Radius Web policy

VPN Virtual Server Settings 

  • The Session policy/Profile for Citrix receiver needs to be adjusted to indicate which field contains the Active Directory passwords. On the Client Experience tab is the Credentials Index. This needs to be changed to Secondary. Leave the session policy for Web Browsers set to Primary.

 Single Sign-on to Web Applications

 

  • On the StoreFront server, when creating the NetScaler Gateway object, change the Logon type to Domain and security token.

 Edit NetScaler Gateway App

 

 

  • Note: you will get a 2nd password field as a result of the 2FA configuration. Leave that field blank. The DUO site has options to hide the second password field, but I didn’t want to mess with the NetScaler’s CSS themes (which isn’t supported).

 Unified Gateway login

  • After entering your domain credentials DUO prompt will appear. I have the DUO app installed on my iPhone, so I always just use send me a push.

NetScaler Gateway 

 

  • This is a screenshot from my phone. The DUO app automatically launches for a login request and I simply select the green checkmark to send approval back to the NetScaler.

Login Request Screen

 

 

Share this Post:
« A Drop in Cybersecurity Skills
Recap: Microsoft Inspire 2018 »