digipass authentication for netscaler

8/10/2019 DIGIPASS Authentication for NetScaler

1/35


2/35

1 DIGIPASS Authentication for NetScaler (with CAG)

DIGIPASS Authentication for NetScaler (with CAG)

Disclaimer

Disclaimer of Warranties and Limitation of Liabilities

All information contained in this document is provided 'as is'; VASCO Data Security assumes no

responsibility for its accuracy and/or completeness.

In no event will VASCO Data Security be liable for damages arising directly or indirectly from anyuse of the information contained in this document.

Copyright

Copyright 2012 VASCO Data Security, Inc, VASCO Data Security International GmbH. Allrights reserved. VASCO, Vacman, IDENTIKEY, aXsGUARD, DIGIPASSand logo

are registered or unregistered trademarks of VASCO Data Security, Inc. and/or VASCO DataSecurity International GmbH in the U.S. and other countries. VASCO Data Security, Inc.and/or VASCO Data Security International GmbH own or are licensed under all title, rights andinterest in VASCO Products, updates and upgrades thereof, including copyrights, patent

rights, trade secret rights, mask work rights, database rights and all other intellectual andindustrial property rights in the U.S. and other countries. Microsoft and Windows aretrademarks or registered trademarks of Microsoft Corporation. Other names may be

trademarks of their respective owners.


3/35



Table of Contents

Reference guide ............................................................................................................. 4

1 Overview................................................................................................................... 5

2 Technical Concepts ................................................................................................... 6

2.1 Citrix ................................................................................................................... 6

2.1.1 NetScaler ....................................................................................................... 6

2.1.2 Access Gateway Enterprise Edition .................................................................... 6

2.1.3 Web Interface ................................................................................................. 6

2.2 VASCO ................................................................................................................. 6

2.2.1 IDENTIKEY Authentication server ...................................................................... 6

3 Citrix setup ............................................................................................................... 7

3.1 Architecture .......................................................................................................... 7

3.2 Prerequisites......................................................................................................... 7

3.3 Citrix ................................................................................................................... 7

3.3.1 Access Gateway .............................................................................................. 7

3.3.1.1 Policies .................................................................................................... 7

3.3.1.2 Virtual Servers ........................................................................................ 11

3.3.1.3 Groups .................................................................................................. 12

3.4 Test the setup .................................................................................................... 14

4 Citrix Receiver on mobile ........................................................................................ 15

4.1 Architecture ........................................................................................................ 15

4.2 Prerequisites....................................................................................................... 15

4.3 Citrix ................................................................................................................. 15

4.3.1 Access Gateway ............................................................................................ 15

4.3.1.1 Policies .................................................................................................. 15

4.3.1.2 Virtual Servers ........................................................................................ 18

4.4 Test ................................................................................................................... 19


4/35


5/35



Reference guide

ID Title Author Publisher Date ISBN


6/35



1

OverviewThis whitepaper describes how to configure a Citrix NetScaler with Citrix Access GatewayEnterprise Edition (AGEE) in combination with the VASCO IDENTIKEY AUTHENTICATION Server.That way an extra security layer can be added to the SSL VPN solution the CITRIX AGEE provides.


7/35



2

Technical Concepts2.1

Citrix

2.1.1 NetScaler

Citrix NetScaler makes apps and cloud-based services run five times better by offloadingapplication and database servers, accelerating application and service performance, andintegrating security. Deployed in front of web and database servers, NetScaler combines high-speed load balancing and content switching, data compression, content caching, SSL acceleration,

network optimization, application visibility and application security on a single, comprehensiveplatform.

2.1.2

Access Gateway Enterprise Edition

Citrix Access Gateway Enterprise Edition (AGEE) is a secure application access solution thatprovides administrators granular application-level control while empowering users with remote

access from anywhere. It gives IT administrators a single point to manage access control andlimit actions within sessions based on both user identity and the endpoint device, providing betterapplication security, data protection, and compliance management.

2.1.3 Web Interface

The Citrix Web Interface provides users with access to XenApp applications and content andXenDesktop virtual desktops. Users access their resources through a standard Web browser orthrough the Citrix online plug-in.

2.2 VASCO

2.2.1

IDENTIKEY Authentication server

IDENTIKEY Authentication Server is an off-the-shelf centralized authentication server thatsupports the deployment, use and administration of DIGIPASS strong user authentication. It

offers complete functionality and management features without the need for significant budgetaryor personnel investments.

IDENTIKEY Authentication Server Server is supported on 32bit systems as well as on 64bitsystems.


8/35



3

Citrix setupBefore adding 2 factor authentication it is important to validate a standard configuration withoutOne Time Password (OTP).

3.1

Architecture

10..0.20

10..0.202

10..0.20

10..0.10

.. ()

10..0.201

When a user connects trough the CITRIX AGEE, it will be asked to authenticate. Theauthentication will be performed, using Active Directory via LDAP. If the authentication issuccessful, the user is logged in on the Citrix Web Interface where he can access the XenApp en

XenDesktop nodes.

3.2

Prerequisites

To the Citrix installation there are many components that can and need to be configured. For thiswhite paper we are going to concentrate on the NetScaler and CITRIX AGEE.

In order for this set-up to work, a Citrix Web Interface needs to be created:

http://10.4.0.202/Citrix/XenAppCAG

3.3 Citrix

Log in to the NetScaler by browsing to 10.4.0.206

3.3.1

Access Gateway

3.3.1.1 Policies

Policies are used to define components that will be used to create a virtual server.

3.3.1.1.1 Authentication Server

An authentication policy will be created to enable LDAP/Active Directory authentication.


9/35



Open the Authenticationtree item

Select the ServersTab

Click Add

Name: authsrv_ad Authentication Type: LDAP

IP Address: 10.4.0.10 Port: 389 Time-out (seconds): 3 Base DN: DC=labs,DC=vasco,DC=com

Administrator Bind DN: CN=citrix_admin,CN=Users,DC=labs,DC=vasco,DC=com

Administrator Password: password of the administrator user Server Logon Name Attribute: samAccountName

Group Attribute: memberOf Sub Attribute Name: CN Secure Type: PLAINTEXT Check Authentication

CheckUser Required

Click Create

3.3.1.1.2 Authentication Policy

Select the Policiestab

Click Add


10/35



Name: auth_ad Authentication Type: LDAP Server: authsrv_ad

Named Expression: General True Value Click Add Expression

Click Create

3.3.1.1.3 Session Profiles

Open the Sessiontree item

Select the ProfilesTab

Click Add

Name: profile_publishedapps

Go to Client Experience


11/35



Check Single Sign-on to Web Applications

Go to Published Applicationstab

ICA Proxy: ON

Web Interface Address: http://10.4.0.202/Citrix/XenAppCAG/

Web Interface Portal Mode: NORMAL Single Sign-on Domain: LABS

Click Create

3.3.1.1.4 Session Policy

Select the PoliciesTab

Click Add

Name: sess_icaproxy_nonmobile Request Profile:profile_publishedapps Named Expression: General True Value


12/35



Click Add Expression

Click Create

ns_true is general expression, which catches every call

3.3.1.2 Virtual Servers

Select the Virtual Serverstree item

Click Add

Name: citrix2-labs-vasco-com-AGEEauth IP Address: 10.4.0.204 Port: 443

Max Users: 0 Select SmartAccess Mode Check Enable Virtual Server

The chosen IP Address needs to be a free IP Address in the subnet.

Select Certificatestab

Select the Server certificate

Click Add>

If the server certificate is not in the Certificates list click install and add the needed

server certificate.

Select the Authenticationtab


13/35



Check Enable Authentication

Click Insert Policy

Select auth_ad


Select Session

Click Insert Policy

Select sess_icaproxy_nonmobile

Click OK

3.3.1.3 Groups

Groups are used to apply authorization and session policies, create bookmarks and specifyapplications.

User groups are created locally on the Citrix NetScaler. When an external authentication method

is used, like Active Directory, the User group from the external authentication will be mapped tothe local group on the Citrix NetScaler.


14/35



For example: On the Citrix NetScaler a group Citrix is created. Active Directory is used as anexternal authentication method. Then a group needs to be created on Active Directory with thename Citrix. The user that wants to be authenticated needs to be a member of the Citrix

group on Active Directory.

Click Add

Go to tab Authorization

Group Name:Citrix

Click Insert Policy

Select New Policy


15/35



Name: VascoAllow Action: ALLOW Named Expressions: General True value

Click AddExpression

Click Create

Click Create

3.4

Test the setup

Open a browser and browse to https://10.4.0.204

User name: Demo Static Password: Test12345

Click Log On

This user needs to be created in the active directory and must be a member of the groupCitrix


16/35



4

Citrix Receiver on mobileIn order to use Citrix Receiver on a mobile device, the first setup (Citrix Setup) will be altered.

4.1

Architecture

.. ()

10..0.20

10..0.202

10..0.10

10..0.201

4.2

Prerequisites

Mobile devices connect to the Citrix environment by using a Service Site. The Service Siteprovides the information about the publication for mobile devices.

Create a Service Site on the Web Interface server:

http://10.4.0.202/Citrix/PNAgent

4.3 Citrix

4.3.1

Access Gateway

4.3.1.1 Policies

4.3.1.1.1 Session Profiles

Open the Sessiontree item

Select the ProfilesTab

Click Add

Name: profile_mobiledevices


17/35



Go to Client Experience tab

Check Single Sign-on to Web Applications

Go to Published Applications tab

ICA Proxy: ON


18/35



Web Interface Address: http://10.4.0.202/Citrix/PNAgent/config.xml

Web Interface Portal Mode: NORMAL Single Sign-on Domain: LABS

Click Create

4.3.1.1.2

Session Policies

Select the PoliciesTab

Click Add

Name: sess_icaproxy_mobiledev Request Profile:profile_mobiledevices

Click Add


19/35



A number of different expressions must be added for this policy. The following table provides asummary of the values

For Citrix

Receiver

For Citrix Receiver on

iPad

For CFNetwork For Darwin

ExpressionType: General

Flow Type:REQ

Protocol: HTTP

Qualifier:HEADER

Operator:CONTAINS

Value:CitrixReceiver

Header Name:

User-Agent Length: Offset: 0

Click OK


Flow Type:REQ

Protocol: HTTP

Qualifier:HEADER

Operator:CONTAINS

Value:'CitrixReceiver-iPad'

Header Name:User-Agent

Length: Offset: 0

Click OK


Flow Type:REQ

Protocol: HTTP

Qualifier:HEADER

Operator:CONTAINS

Value:CFNetwork

Header Name:

User-Agent Length: Offset: 0

Click OK


Flow Type:REQ

Protocol: HTTP

Qualifier:HEADER

Operator:CONTAINS

Value: Darwin Header Name:

User-Agent

Length: Offset: 0

Click OK

Click Create

CFNetwork and Darwin are two Apple components.

CFNetwork is a process running on computers when installing Apple software.Darwin is an open source operating system launched by Apple and is the base of Mac OSx



Click citrix2-labs-vasco-com-AGEEauth and Click Open



20/35



Select Session

Click Insert Policy Select sess_icaproxy_mobiledev

Click OK

4.4

Test

To perform the test, Citrix Receiver needs to be installed on your device.

For BlackBerry: http://appworld.blackberry.com/webstore/content/10529?lang=en

For Android:https://market.android.com/details?id=com.citrix.Receiver&feature=search_result#?t=W251bGw

sMSwxLDEsImNvbS5jaXRyaXguUmVjZWl2ZXIiXQ

Other platforms: http://www.citrix.com/English/ps2/products/product.asp?contentID=1689163

The below screenshots demonstrate the Citrix receiver on an Apple Ipad.

Note: for this test the IP 10.4.0.204 is linked to an external host named citrix2.labs.vasco.com

Start the receiver application


21/35



Select Add Account

Address: citrix2.labs.vasco.com Click Next

Description: Vasco Virtual Apps

Username: Demo Password: Test12345 Domain: Labs Security Token: Disabled Click Save


22/35




23/35



5

Solution5.1

Architecture

10..0.20

10..0.202

10..0.1 10..0.10

.. ()

10 ..0.201

When implemented, the user will perform an authentication against 2 authentication servers. One

being Active Directory, using LDAP, and one against IDENTIKEY Authentication Server, usingRADIUS. This results in a login with 2 password fields.

5.2

Citrix

5.2.1

Access Gateway

5.2.1.1 Policies

5.2.1.1.1 Authentication Server

RADIUS authentication server needs to be added. This RADIUS server will point to the IDENTIKEYAuthentication server.

Open the Authenticationtree item

Select the ServersTab

Click Add


24/35



Name: authsrv_vasco

Authentication Type: RADIUS IP Address: 10.4.0.13 Port: 1812

Time-out (seconds): 3 Secret Key: Test1234 Confirm Secret Key: Test1234 Password Encoding: pap

Accounting: OFF

Click Create

5.2.1.1.2 Authentication Policy

Because the HTTP login behavior is different than the login over Citrix Receiver we need to make

multiple Authentication Policies.

1st 2n

HTTP Active Directory IDENTIKEY AuthenticationServer

Citrix Receiver IDENTIKEY AuthenticationServer

Active Directory


Click Add


25/35



Choose the configuration depending on your preferred access method

Access Method

Radius for HTTP Radius for Citrix

Receiver

LDAP for Citrix Receiver

Authenticationpolicy to be

created

Name:auth_vasco

AuthenticationType: RADIUS

Server:authsrv_vasco

Remove ns_truefrom expressionlist

Name:auth_mobile_va

sco

AuthenticationType: RADIUS

Server:authsrv_vasco

Remove ns_truefrom expression

list

Name:auth_mobile_a

d

AuthenticationType: LDAP

Server:authsrv_ad

Remove ns_truefrom expression

list

Expression toadd by clickingthe Addbutton in the

Authenticationpolicy

Expression Type:General

Flow Type: REQ Protocol: HTTP

Qualifier:HEADER Operator:

NOTCONTAINS Value:

CitrixReceiver Header Name:

User-Agent Length:

Offset: 0


Flow Type: REQ Protocol: HTTP Qualifier:

HEADER Operator:

CONTAINS Value:


User-Agent Length:

Offset: 0 Click OK


Flow Type: REQ Protocol: HTTP Qualifier:

HEADER Operator:

CONTAINS Value:


User-Agent Length:

Offset: 0


26/35



Now the new Authentication Policies are created, the existing auth_ad policy needs to be updated

Select auth_ad

Click Open

Remove ns_truefrom expression list

Click Add

Expression Type: General Flow Type: REQ Protocol: HTTP Qualifier: HEADER

Operator: NOTCONTAINS Value: CitrixReceiver Header Name: User-Agent Length:

Offset: 0

Click OK

Click OK



Click citrix2-labs-vasco-com-CAGuth and Click Open

Select the Authenticationtab


27/35



Click Insert Policy

Select auth_mobile_vasco Priority:90

Click Secondary

Click Insert Policy Select auth_mobile_ad

Priority: 90 Click Insert Policy

Select auth_vasco Priority: 10

5.3

IDENTIKEY Authentication Server

There are lots of possibilities when using IDENTIKEY Authentication Server. We can authenticatewith:

Local users (Defined in IDENTIKEY Authentication Server)

Active Directory (Windows)


28/35



In this whitepaper we will use Local users to authenticate.

5.3.1

Policies

In the Policy the behavior of the authentication is defined. It gives all the answers on: I have gota user and a password, what now?

Createa new Policy

Policy ID : Test Inherits From: Base Policy

Inherits means: The new policy will have the same behavior as the policy from which heinherits, except when otherwise specified in the new policy.

Example:

1

2

The new policy is created, now we are going to edit it.

Click edit


29/35



Local Authentication : Digipass/Password ClickSave

5.3.2 Client

In the clients we specify the location from which IDENTIKEY Authentication Server will acceptrequests and which protocol they use.

We are going to add a new RADIUS client.

Client Type : select Radius Clientfrom select from list Location: 10.4.0.206 Policy ID : Select the Policy that was created in Policies Protocol ID: RADIUS

Shared Secret: Test1234 Confirm Shared Secret: reenter the shared secret Click Save


30/35



5.3.3

User

We are going to create a user.

User ID: Fill in the Demo Enter static password: Test12345

Password is used when there is no Digipass assigned.

Confirm static password: Test12345

5.3.4 DIGIPASS

The purpose of using IDENTIKEY Authentication Server, is to be able to log in using One TimePasswords (OTP). To make it possible to use OTP we need to assign a DIGIPASS to the user. TheDigipass is a device that generates the OTPs.

Open the user by clicking on its name Select Assigned Digipass

Click ASSIGN


31/35



Click Next

Grace period: 0 Days

Grace period is the period that a user can log in with his static password. The first time

the user uses his DIGIPASS the grace period will expire.

Click ASSIGN

Click Finish


32/35



5.4 Test the Solution

5.4.1

With the browser

Open the browser and browse to https://10.4.0.204or https://citrix2.labs.vasco.com

User name: Demo Static Password: Test12345

Vasco Password: a One Time Password generated by the users Digipass

Vasco Password is not the standard field label. This is done to display the differencebetween the Active Directory Password and the Vasco One Time Password. This is done

trough the command line interface of the Citrix Netscaler

5.4.2 With Citrix Receiver

This test is done on an Apple iPad.

Start the Citrix Receiver application


33/35



Select Add Acount

Adress: citrix2.labs.vasco.com Click Next

Description: Vasco Virtual Apps Username: Demo Password: Test12345 Domain: Labs Security Token: Enabled

Select Domain + Security Token Click Save


34/35



Token: a One Time Password generated by the users Digipass


35/35


6

FAQ7

Appendix

digipass authentication for netscaler

Documents