Now that dual factor authentication is becoming the norm in many organizations, I decided to deploy 2FA in my home lab. There are many 2FA products out there like RSA, Microsoft Radius, DUO, OKTA and the likes. I decided to go with DUO. DUO is full featured for enterprise deployments and it has a free version for SE’s like myself that want to learn the technology. Below you will find the steps that I did to configure DUO in my lab. I already had a working NetScaler that front-ends my Citrix XenApp v7.15 LTSR environment, so the steps below are concentrated on adding the DUO 2FA authentication piece only.
NetScaler and DUO configuration
DUO 2 Factor Authentication
- Set up a DUO account https://admin.duosecurity.com/login?next=%2F
- Log into DUO Admin Panel and navigate to Applications
- Click Protect an Application and locate Citrix NetScaler
- Install the Duo Radius Server on a windows server on your LAN https://duo.com/docs/citrix_netscaler-alt#install-the-duo-authentication-proxy
- I Installed the radius server software on my domain controller.
Configure the Proxy
- **Note: Remember to only open the authproxy.cfg with WordPad or Notepad++. Regular Notepad has been known to corrupt the file by putting in unrecognizable carriage returns.
- Build out the Authproxy config file.
service_account_username=duo_service (Type in the service account name here)
service_account_password=(Type in the service account password here)
ikey=xxxxxxxxxxxxx (Put in the iKey password from the DUO ADMIN portal here)
skey=xxxxxxxxxxxxx (Put in the sKey password from the DUO ADMIN portal here)
ikey=xxxxxxxxxxxxxxxxxx (Put in the iKey password from the DUO ADMIN portal here)
skey=xxxxxxxxxxxxxxxxxx (Put in the sKey password from the DUO ADMIN portal here)
radius_ip_1=x.x.x.x (Put in the IP address of your Radius server)
Configure the primary and secondary authentication policies on the NetScaler
- Keep in mind, on the policy sections you need to account for traffic coming into the NetScaler from a web browser as well as Citrix receiver.
Navigate to NetScaler Gateway/Policies/Authentication/LDAP
- Create an LDAP server
- Click on the server’s tab
- Fill out the fields below. If you have an SSL cert on your domain controllers, then change security type to SSL and port to 636. This is definitely a best practice.
- Create a Radius server
Navigate to NetScaler Gateway/Policies/Authentication/RADIUS
- Click on the Servers Tab
- Click Add
- Chose server type RADIUS
- Name the Server(s)
- Enter the secret key specified when you added the NetScaler’s RADIUS clients on the Radius server.
- Test Connection
- Scroll down and click create.
- Now create another RADIUS server for Receiver traffic.
- Keep in mind, on the DUO CitrixReceiver server, you check the send calling station ID checkbox. It is NOT checked on the DUO Citrix Web server
Create authentication policies for both LDAP, if not already configured, and RADIUS
- Click on the Policy tab and create two LDAP policies one for Web access and the other for receiver access similar to below
- Click on the Policy tab and create two RADIUS policies one for Web access and the other for receiver access similar to below
- The only difference in the two policies is the operator field. In the Web policy for both LDAP and RADIUS the Operator will be NOTCONTAINS, whereas, the Receiver policy will say CONTAINS.
Bind the Two-factor policies to Gateway
- Now you need to bind all (4) policies to the authentication policies to your NetScaler Virtual Server
- On the Primary Authentication you bind the following:
- LDAP Web policy
- Radius Receiver policy
- On the Secondary Authentication you bind the following:
- LDAP Receiver policy
- Radius Web policy
- The Session policy/Profile for Citrix receiver needs to be adjusted to indicate which field contains the Active Directory passwords. On the Client Experience tab is the Credentials Index. This needs to be changed to Secondary. Leave the session policy for Web Browsers set to Primary.
- On the StoreFront server, when creating the NetScaler Gateway object, change the Logon type to Domain and security token.
- Note: you will get a 2nd password field as a result of the 2FA configuration. Leave that field blank. The DUO site has options to hide the second password field, but I didn’t want to mess with the NetScaler’s CSS themes (which isn’t supported).
- After entering your domain credentials DUO prompt will appear. I have the DUO app installed on my iPhone, so I always just use send me a push.
- This is a screenshot from my phone. The DUO app automatically launches for a login request and I simply select the green checkmark to send approval back to the NetScaler.