Download - DIGIPASS Authentication for NetScaler
-
8/10/2019 DIGIPASS Authentication for NetScaler
1/35
-
8/10/2019 DIGIPASS Authentication for NetScaler
2/35
1 DIGIPASS Authentication for NetScaler (with CAG)
DIGIPASS Authentication for NetScaler (with CAG)
Disclaimer
Disclaimer of Warranties and Limitation of Liabilities
All information contained in this document is provided 'as is'; VASCO Data Security assumes no
responsibility for its accuracy and/or completeness.
In no event will VASCO Data Security be liable for damages arising directly or indirectly from anyuse of the information contained in this document.
Copyright
Copyright 2012 VASCO Data Security, Inc, VASCO Data Security International GmbH. Allrights reserved. VASCO, Vacman, IDENTIKEY, aXsGUARD, DIGIPASSand logo
are registered or unregistered trademarks of VASCO Data Security, Inc. and/or VASCO DataSecurity International GmbH in the U.S. and other countries. VASCO Data Security, Inc.and/or VASCO Data Security International GmbH own or are licensed under all title, rights andinterest in VASCO Products, updates and upgrades thereof, including copyrights, patent
rights, trade secret rights, mask work rights, database rights and all other intellectual andindustrial property rights in the U.S. and other countries. Microsoft and Windows aretrademarks or registered trademarks of Microsoft Corporation. Other names may be
trademarks of their respective owners.
-
8/10/2019 DIGIPASS Authentication for NetScaler
3/35
2 DIGIPASS Authentication for NetScaler (with CAG)
DIGIPASS Authentication for NetScaler (with CAG)
Table of Contents
Reference guide ............................................................................................................. 4
1 Overview................................................................................................................... 5
2 Technical Concepts ................................................................................................... 6
2.1 Citrix ................................................................................................................... 6
2.1.1 NetScaler ....................................................................................................... 6
2.1.2 Access Gateway Enterprise Edition .................................................................... 6
2.1.3 Web Interface ................................................................................................. 6
2.2 VASCO ................................................................................................................. 6
2.2.1 IDENTIKEY Authentication server ...................................................................... 6
3 Citrix setup ............................................................................................................... 7
3.1 Architecture .......................................................................................................... 7
3.2 Prerequisites......................................................................................................... 7
3.3 Citrix ................................................................................................................... 7
3.3.1 Access Gateway .............................................................................................. 7
3.3.1.1 Policies .................................................................................................... 7
3.3.1.2 Virtual Servers ........................................................................................ 11
3.3.1.3 Groups .................................................................................................. 12
3.4 Test the setup .................................................................................................... 14
4 Citrix Receiver on mobile ........................................................................................ 15
4.1 Architecture ........................................................................................................ 15
4.2 Prerequisites....................................................................................................... 15
4.3 Citrix ................................................................................................................. 15
4.3.1 Access Gateway ............................................................................................ 15
4.3.1.1 Policies .................................................................................................. 15
4.3.1.2 Virtual Servers ........................................................................................ 18
4.4 Test ................................................................................................................... 19
-
8/10/2019 DIGIPASS Authentication for NetScaler
4/35
-
8/10/2019 DIGIPASS Authentication for NetScaler
5/35
4 DIGIPASS Authentication for NetScaler (with CAG)
DIGIPASS Authentication for NetScaler (with CAG)
Reference guide
ID Title Author Publisher Date ISBN
-
8/10/2019 DIGIPASS Authentication for NetScaler
6/35
5 DIGIPASS Authentication for NetScaler (with CAG)
DIGIPASS Authentication for NetScaler (with CAG)
1
OverviewThis whitepaper describes how to configure a Citrix NetScaler with Citrix Access GatewayEnterprise Edition (AGEE) in combination with the VASCO IDENTIKEY AUTHENTICATION Server.That way an extra security layer can be added to the SSL VPN solution the CITRIX AGEE provides.
-
8/10/2019 DIGIPASS Authentication for NetScaler
7/35
6 DIGIPASS Authentication for NetScaler (with CAG)
DIGIPASS Authentication for NetScaler (with CAG)
2
Technical Concepts2.1
Citrix
2.1.1 NetScaler
Citrix NetScaler makes apps and cloud-based services run five times better by offloadingapplication and database servers, accelerating application and service performance, andintegrating security. Deployed in front of web and database servers, NetScaler combines high-speed load balancing and content switching, data compression, content caching, SSL acceleration,
network optimization, application visibility and application security on a single, comprehensiveplatform.
2.1.2
Access Gateway Enterprise Edition
Citrix Access Gateway Enterprise Edition (AGEE) is a secure application access solution thatprovides administrators granular application-level control while empowering users with remote
access from anywhere. It gives IT administrators a single point to manage access control andlimit actions within sessions based on both user identity and the endpoint device, providing betterapplication security, data protection, and compliance management.
2.1.3 Web Interface
The Citrix Web Interface provides users with access to XenApp applications and content andXenDesktop virtual desktops. Users access their resources through a standard Web browser orthrough the Citrix online plug-in.
2.2 VASCO
2.2.1
IDENTIKEY Authentication server
IDENTIKEY Authentication Server is an off-the-shelf centralized authentication server thatsupports the deployment, use and administration of DIGIPASS strong user authentication. It
offers complete functionality and management features without the need for significant budgetaryor personnel investments.
IDENTIKEY Authentication Server Server is supported on 32bit systems as well as on 64bitsystems.
-
8/10/2019 DIGIPASS Authentication for NetScaler
8/35
7 DIGIPASS Authentication for NetScaler (with CAG)
DIGIPASS Authentication for NetScaler (with CAG)
3
Citrix setupBefore adding 2 factor authentication it is important to validate a standard configuration withoutOne Time Password (OTP).
3.1
Architecture
10..0.20
10..0.202
10..0.20
10..0.10
.. ()
10..0.201
When a user connects trough the CITRIX AGEE, it will be asked to authenticate. Theauthentication will be performed, using Active Directory via LDAP. If the authentication issuccessful, the user is logged in on the Citrix Web Interface where he can access the XenApp en
XenDesktop nodes.
3.2
Prerequisites
To the Citrix installation there are many components that can and need to be configured. For thiswhite paper we are going to concentrate on the NetScaler and CITRIX AGEE.
In order for this set-up to work, a Citrix Web Interface needs to be created:
http://10.4.0.202/Citrix/XenAppCAG
3.3 Citrix
Log in to the NetScaler by browsing to 10.4.0.206
3.3.1
Access Gateway
3.3.1.1 Policies
Policies are used to define components that will be used to create a virtual server.
3.3.1.1.1 Authentication Server
An authentication policy will be created to enable LDAP/Active Directory authentication.
-
8/10/2019 DIGIPASS Authentication for NetScaler
9/35
8 DIGIPASS Authentication for NetScaler (with CAG)
DIGIPASS Authentication for NetScaler (with CAG)
Open the Authenticationtree item
Select the ServersTab
Click Add
Name: authsrv_ad Authentication Type: LDAP
IP Address: 10.4.0.10 Port: 389 Time-out (seconds): 3 Base DN: DC=labs,DC=vasco,DC=com
Administrator Bind DN: CN=citrix_admin,CN=Users,DC=labs,DC=vasco,DC=com
Administrator Password: password of the administrator user Server Logon Name Attribute: samAccountName
Group Attribute: memberOf Sub Attribute Name: CN Secure Type: PLAINTEXT Check Authentication
CheckUser Required
Click Create
3.3.1.1.2 Authentication Policy
Select the Policiestab
Click Add
-
8/10/2019 DIGIPASS Authentication for NetScaler
10/35
9 DIGIPASS Authentication for NetScaler (with CAG)
DIGIPASS Authentication for NetScaler (with CAG)
Name: auth_ad Authentication Type: LDAP Server: authsrv_ad
Named Expression: General True Value Click Add Expression
Click Create
3.3.1.1.3 Session Profiles
Open the Sessiontree item
Select the ProfilesTab
Click Add
Name: profile_publishedapps
Go to Client Experience
-
8/10/2019 DIGIPASS Authentication for NetScaler
11/35
10 DIGIPASS Authentication for NetScaler (with CAG)
DIGIPASS Authentication for NetScaler (with CAG)
Check Single Sign-on to Web Applications
Go to Published Applicationstab
ICA Proxy: ON
Web Interface Address: http://10.4.0.202/Citrix/XenAppCAG/
Web Interface Portal Mode: NORMAL Single Sign-on Domain: LABS
Click Create
3.3.1.1.4 Session Policy
Select the PoliciesTab
Click Add
Name: sess_icaproxy_nonmobile Request Profile:profile_publishedapps Named Expression: General True Value
-
8/10/2019 DIGIPASS Authentication for NetScaler
12/35
11 DIGIPASS Authentication for NetScaler (with CAG)
DIGIPASS Authentication for NetScaler (with CAG)
Click Add Expression
Click Create
ns_true is general expression, which catches every call
3.3.1.2 Virtual Servers
Select the Virtual Serverstree item
Click Add
Name: citrix2-labs-vasco-com-AGEEauth IP Address: 10.4.0.204 Port: 443
Max Users: 0 Select SmartAccess Mode Check Enable Virtual Server
The chosen IP Address needs to be a free IP Address in the subnet.
Select Certificatestab
Select the Server certificate
Click Add>
If the server certificate is not in the Certificates list click install and add the needed
server certificate.
Select the Authenticationtab
-
8/10/2019 DIGIPASS Authentication for NetScaler
13/35
12 DIGIPASS Authentication for NetScaler (with CAG)
DIGIPASS Authentication for NetScaler (with CAG)
Check Enable Authentication
Click Insert Policy
Select auth_ad
Select the Policiestab
Select Session
Click Insert Policy
Select sess_icaproxy_nonmobile
Click OK
3.3.1.3 Groups
Groups are used to apply authorization and session policies, create bookmarks and specifyapplications.
User groups are created locally on the Citrix NetScaler. When an external authentication method
is used, like Active Directory, the User group from the external authentication will be mapped tothe local group on the Citrix NetScaler.
-
8/10/2019 DIGIPASS Authentication for NetScaler
14/35
13 DIGIPASS Authentication for NetScaler (with CAG)
DIGIPASS Authentication for NetScaler (with CAG)
For example: On the Citrix NetScaler a group Citrix is created. Active Directory is used as anexternal authentication method. Then a group needs to be created on Active Directory with thename Citrix. The user that wants to be authenticated needs to be a member of the Citrix
group on Active Directory.
Click Add
Go to tab Authorization
Group Name:Citrix
Click Insert Policy
Select New Policy
-
8/10/2019 DIGIPASS Authentication for NetScaler
15/35
14 DIGIPASS Authentication for NetScaler (with CAG)
DIGIPASS Authentication for NetScaler (with CAG)
Name: VascoAllow Action: ALLOW Named Expressions: General True value
Click AddExpression
Click Create
Click Create
3.4
Test the setup
Open a browser and browse to https://10.4.0.204
User name: Demo Static Password: Test12345
Click Log On
This user needs to be created in the active directory and must be a member of the groupCitrix
-
8/10/2019 DIGIPASS Authentication for NetScaler
16/35
15 DIGIPASS Authentication for NetScaler (with CAG)
DIGIPASS Authentication for NetScaler (with CAG)
4
Citrix Receiver on mobileIn order to use Citrix Receiver on a mobile device, the first setup (Citrix Setup) will be altered.
4.1
Architecture
.. ()
10..0.20
10..0.202
10..0.10
10..0.201
4.2
Prerequisites
Mobile devices connect to the Citrix environment by using a Service Site. The Service Siteprovides the information about the publication for mobile devices.
Create a Service Site on the Web Interface server:
http://10.4.0.202/Citrix/PNAgent
4.3 Citrix
4.3.1
Access Gateway
4.3.1.1 Policies
4.3.1.1.1 Session Profiles
Open the Sessiontree item
Select the ProfilesTab
Click Add
Name: profile_mobiledevices
-
8/10/2019 DIGIPASS Authentication for NetScaler
17/35
16 DIGIPASS Authentication for NetScaler (with CAG)
DIGIPASS Authentication for NetScaler (with CAG)
Go to Client Experience tab
Check Single Sign-on to Web Applications
Go to Published Applications tab
ICA Proxy: ON
-
8/10/2019 DIGIPASS Authentication for NetScaler
18/35
17 DIGIPASS Authentication for NetScaler (with CAG)
DIGIPASS Authentication for NetScaler (with CAG)
Web Interface Address: http://10.4.0.202/Citrix/PNAgent/config.xml
Web Interface Portal Mode: NORMAL Single Sign-on Domain: LABS
Click Create
4.3.1.1.2
Session Policies
Select the PoliciesTab
Click Add
Name: sess_icaproxy_mobiledev Request Profile:profile_mobiledevices
Click Add
-
8/10/2019 DIGIPASS Authentication for NetScaler
19/35
18 DIGIPASS Authentication for NetScaler (with CAG)
DIGIPASS Authentication for NetScaler (with CAG)
A number of different expressions must be added for this policy. The following table provides asummary of the values
For Citrix
Receiver
For Citrix Receiver on
iPad
For CFNetwork For Darwin
ExpressionType: General
Flow Type:REQ
Protocol: HTTP
Qualifier:HEADER
Operator:CONTAINS
Value:CitrixReceiver
Header Name:
User-Agent Length: Offset: 0
Click OK
ExpressionType: General
Flow Type:REQ
Protocol: HTTP
Qualifier:HEADER
Operator:CONTAINS
Value:'CitrixReceiver-iPad'
Header Name:User-Agent
Length: Offset: 0
Click OK
ExpressionType: General
Flow Type:REQ
Protocol: HTTP
Qualifier:HEADER
Operator:CONTAINS
Value:CFNetwork
Header Name:
User-Agent Length: Offset: 0
Click OK
ExpressionType: General
Flow Type:REQ
Protocol: HTTP
Qualifier:HEADER
Operator:CONTAINS
Value: Darwin Header Name:
User-Agent
Length: Offset: 0
Click OK
Click Create
CFNetwork and Darwin are two Apple components.
CFNetwork is a process running on computers when installing Apple software.Darwin is an open source operating system launched by Apple and is the base of Mac OSx
4.3.1.2 Virtual Servers
Select the Virtual Serverstree item
Click citrix2-labs-vasco-com-AGEEauth and Click Open
Select the Policiestab
-
8/10/2019 DIGIPASS Authentication for NetScaler
20/35
19 DIGIPASS Authentication for NetScaler (with CAG)
DIGIPASS Authentication for NetScaler (with CAG)
Select Session
Click Insert Policy Select sess_icaproxy_mobiledev
Click OK
4.4
Test
To perform the test, Citrix Receiver needs to be installed on your device.
For BlackBerry: http://appworld.blackberry.com/webstore/content/10529?lang=en
For Android:https://market.android.com/details?id=com.citrix.Receiver&feature=search_result#?t=W251bGw
sMSwxLDEsImNvbS5jaXRyaXguUmVjZWl2ZXIiXQ
Other platforms: http://www.citrix.com/English/ps2/products/product.asp?contentID=1689163
The below screenshots demonstrate the Citrix receiver on an Apple Ipad.
Note: for this test the IP 10.4.0.204 is linked to an external host named citrix2.labs.vasco.com
Start the receiver application
-
8/10/2019 DIGIPASS Authentication for NetScaler
21/35
20 DIGIPASS Authentication for NetScaler (with CAG)
DIGIPASS Authentication for NetScaler (with CAG)
Select Add Account
Address: citrix2.labs.vasco.com Click Next
Description: Vasco Virtual Apps
Username: Demo Password: Test12345 Domain: Labs Security Token: Disabled Click Save
-
8/10/2019 DIGIPASS Authentication for NetScaler
22/35
21 DIGIPASS Authentication for NetScaler (with CAG)
DIGIPASS Authentication for NetScaler (with CAG)
-
8/10/2019 DIGIPASS Authentication for NetScaler
23/35
22 DIGIPASS Authentication for NetScaler (with CAG)
DIGIPASS Authentication for NetScaler (with CAG)
5
Solution5.1
Architecture
10..0.20
10..0.202
10..0.1 10..0.10
.. ()
10 ..0.201
When implemented, the user will perform an authentication against 2 authentication servers. One
being Active Directory, using LDAP, and one against IDENTIKEY Authentication Server, usingRADIUS. This results in a login with 2 password fields.
5.2
Citrix
5.2.1
Access Gateway
5.2.1.1 Policies
5.2.1.1.1 Authentication Server
RADIUS authentication server needs to be added. This RADIUS server will point to the IDENTIKEYAuthentication server.
Open the Authenticationtree item
Select the ServersTab
Click Add
-
8/10/2019 DIGIPASS Authentication for NetScaler
24/35
23 DIGIPASS Authentication for NetScaler (with CAG)
DIGIPASS Authentication for NetScaler (with CAG)
Name: authsrv_vasco
Authentication Type: RADIUS IP Address: 10.4.0.13 Port: 1812
Time-out (seconds): 3 Secret Key: Test1234 Confirm Secret Key: Test1234 Password Encoding: pap
Accounting: OFF
Click Create
5.2.1.1.2 Authentication Policy
Because the HTTP login behavior is different than the login over Citrix Receiver we need to make
multiple Authentication Policies.
1st 2n
HTTP Active Directory IDENTIKEY AuthenticationServer
Citrix Receiver IDENTIKEY AuthenticationServer
Active Directory
Select the Policiestab
Click Add
-
8/10/2019 DIGIPASS Authentication for NetScaler
25/35
24 DIGIPASS Authentication for NetScaler (with CAG)
DIGIPASS Authentication for NetScaler (with CAG)
Choose the configuration depending on your preferred access method
Access Method
Radius for HTTP Radius for Citrix
Receiver
LDAP for Citrix Receiver
Authenticationpolicy to be
created
Name:auth_vasco
AuthenticationType: RADIUS
Server:authsrv_vasco
Remove ns_truefrom expressionlist
Name:auth_mobile_va
sco
AuthenticationType: RADIUS
Server:authsrv_vasco
Remove ns_truefrom expression
list
Name:auth_mobile_a
d
AuthenticationType: LDAP
Server:authsrv_ad
Remove ns_truefrom expression
list
Expression toadd by clickingthe Addbutton in the
Authenticationpolicy
Expression Type:General
Flow Type: REQ Protocol: HTTP
Qualifier:HEADER Operator:
NOTCONTAINS Value:
CitrixReceiver Header Name:
User-Agent Length:
Offset: 0
Expression Type:General
Flow Type: REQ Protocol: HTTP Qualifier:
HEADER Operator:
CONTAINS Value:
CitrixReceiver Header Name:
User-Agent Length:
Offset: 0 Click OK
Expression Type:General
Flow Type: REQ Protocol: HTTP Qualifier:
HEADER Operator:
CONTAINS Value:
CitrixReceiver Header Name:
User-Agent Length:
Offset: 0
-
8/10/2019 DIGIPASS Authentication for NetScaler
26/35
25 DIGIPASS Authentication for NetScaler (with CAG)
DIGIPASS Authentication for NetScaler (with CAG)
Now the new Authentication Policies are created, the existing auth_ad policy needs to be updated
Select auth_ad
Click Open
Remove ns_truefrom expression list
Click Add
Expression Type: General Flow Type: REQ Protocol: HTTP Qualifier: HEADER
Operator: NOTCONTAINS Value: CitrixReceiver Header Name: User-Agent Length:
Offset: 0
Click OK
Click OK
5.2.1.2 Virtual Servers
Select the Virtual Serverstree item
Click citrix2-labs-vasco-com-CAGuth and Click Open
Select the Authenticationtab
-
8/10/2019 DIGIPASS Authentication for NetScaler
27/35
26 DIGIPASS Authentication for NetScaler (with CAG)
DIGIPASS Authentication for NetScaler (with CAG)
Click Insert Policy
Select auth_mobile_vasco Priority:90
Click Secondary
Click Insert Policy Select auth_mobile_ad
Priority: 90 Click Insert Policy
Select auth_vasco Priority: 10
5.3
IDENTIKEY Authentication Server
There are lots of possibilities when using IDENTIKEY Authentication Server. We can authenticatewith:
Local users (Defined in IDENTIKEY Authentication Server)
Active Directory (Windows)
-
8/10/2019 DIGIPASS Authentication for NetScaler
28/35
27 DIGIPASS Authentication for NetScaler (with CAG)
DIGIPASS Authentication for NetScaler (with CAG)
In this whitepaper we will use Local users to authenticate.
5.3.1
Policies
In the Policy the behavior of the authentication is defined. It gives all the answers on: I have gota user and a password, what now?
Createa new Policy
Policy ID : Test Inherits From: Base Policy
Inherits means: The new policy will have the same behavior as the policy from which heinherits, except when otherwise specified in the new policy.
Example:
1
2
The new policy is created, now we are going to edit it.
Click edit
-
8/10/2019 DIGIPASS Authentication for NetScaler
29/35
28 DIGIPASS Authentication for NetScaler (with CAG)
DIGIPASS Authentication for NetScaler (with CAG)
Local Authentication : Digipass/Password ClickSave
5.3.2 Client
In the clients we specify the location from which IDENTIKEY Authentication Server will acceptrequests and which protocol they use.
We are going to add a new RADIUS client.
Client Type : select Radius Clientfrom select from list Location: 10.4.0.206 Policy ID : Select the Policy that was created in Policies Protocol ID: RADIUS
Shared Secret: Test1234 Confirm Shared Secret: reenter the shared secret Click Save
-
8/10/2019 DIGIPASS Authentication for NetScaler
30/35
29 DIGIPASS Authentication for NetScaler (with CAG)
DIGIPASS Authentication for NetScaler (with CAG)
5.3.3
User
We are going to create a user.
User ID: Fill in the Demo Enter static password: Test12345
Password is used when there is no Digipass assigned.
Confirm static password: Test12345
5.3.4 DIGIPASS
The purpose of using IDENTIKEY Authentication Server, is to be able to log in using One TimePasswords (OTP). To make it possible to use OTP we need to assign a DIGIPASS to the user. TheDigipass is a device that generates the OTPs.
Open the user by clicking on its name Select Assigned Digipass
Click ASSIGN
-
8/10/2019 DIGIPASS Authentication for NetScaler
31/35
30 DIGIPASS Authentication for NetScaler (with CAG)
DIGIPASS Authentication for NetScaler (with CAG)
Click Next
Grace period: 0 Days
Grace period is the period that a user can log in with his static password. The first time
the user uses his DIGIPASS the grace period will expire.
Click ASSIGN
Click Finish
-
8/10/2019 DIGIPASS Authentication for NetScaler
32/35
31 DIGIPASS Authentication for NetScaler (with CAG)
DIGIPASS Authentication for NetScaler (with CAG)
5.4 Test the Solution
5.4.1
With the browser
Open the browser and browse to https://10.4.0.204or https://citrix2.labs.vasco.com
User name: Demo Static Password: Test12345
Vasco Password: a One Time Password generated by the users Digipass
Vasco Password is not the standard field label. This is done to display the differencebetween the Active Directory Password and the Vasco One Time Password. This is done
trough the command line interface of the Citrix Netscaler
5.4.2 With Citrix Receiver
This test is done on an Apple iPad.
Start the Citrix Receiver application
-
8/10/2019 DIGIPASS Authentication for NetScaler
33/35
32 DIGIPASS Authentication for NetScaler (with CAG)
DIGIPASS Authentication for NetScaler (with CAG)
Select Add Acount
Adress: citrix2.labs.vasco.com Click Next
Description: Vasco Virtual Apps Username: Demo Password: Test12345 Domain: Labs Security Token: Enabled
Select Domain + Security Token Click Save
-
8/10/2019 DIGIPASS Authentication for NetScaler
34/35
33 DIGIPASS Authentication for NetScaler (with CAG)
DIGIPASS Authentication for NetScaler (with CAG)
Token: a One Time Password generated by the users Digipass
-
8/10/2019 DIGIPASS Authentication for NetScaler
35/35
DIGIPASS Authentication for NetScaler (with CAG)
6
FAQ7
Appendix