NetScaler Gateway配置OTP验证

详细的OTP配置教程

LDAP Policies/Actions

1. Go to Security > AAA – Application Traffic > Polices > Authentication > Advanced Policies > Actions > LDAP.
2. On the right, click Add.
   

    

   1. Create a normal LDAP Server if you don’t have one already. This one has Authentication enabled. This LDAP Policy/Server will be used for single-factor authentication to the manageotp website, and for first factor of dual-factor authentication to NetScaler Gateway (second factor is OTP). There are no special instructions for this LDAP Server.
      
3. Create another LDAP Action.
   

    

   1. This one is used by the manageotp site to set the OTP authenticator in Active Directory, so name it accordingly.
   2. On the right, uncheck the box next to Authentication. If you don’t uncheck it, you will see an error message after configuring the OTP Secret.
      
   3. Make sure the Administrator Bind DN has permissions to modify the OTP Secret Active Directory attribute for all users.
   4. If you cloned an existing LDAP Server, then make sure you re-enter the Administrator Password or the new one won’t work. Then click Test LDAP Reachability.
      
   5. Configure the Server Logon Name Attribute to match the one you configured in the normal authentication LDAP Server.
      
   6. In the Other Settings section, on the bottom right, find the OTP Secret field. Enter the name of the Active Directory attribute where NetScaler will store the user’s OTP secret. You can use the userParameters attribute if that attribute isn’t being used for anything else.
   7. Thomas Rolfs in the comments advises not to enable Nested Group Extraction in this LDAP Action.
   8. Click Create when done.
      
4. Create another LDAP Action.
   1. This one will verify the OTP code entered by the user, so name it accordingly. The only difference from the prior one is the addition of an LDAP Search Filter.
   2. On the right, uncheck the box next to Authentication. If you don’t uncheck it, you will see an error message after configuring the OTP Secret.
      
   3. Make sure the Administrator Bind DN has permissions to read the OTP Secret Active Directory attribute.
   4. If you cloned an existing LDAP Server, then make sure you re-enter the Administrator Password or the new one won’t work.
      
   5. In the Other Settings section, configure the Server Logon Name Attribute to match the one you configured in the normal authentication LDAP Server.
   6. In the Search Filter field, enter the text userParameters>=#@. This syntax ensures that only users with enrolled authenticators can login. See George Spiers NetScaler native OTP for more info.
      
   7. In the Other Settings section, on the bottom right, find the OTP Secret field. Enter the name of the Active Directory attribute containing the user’s OTP secret.
   8. Click Create when done.
5. Go to Security > AAA – Application Traffic > Policies > Authentication > Advanced Policies > Policy.
6. On the right, click Add.
   

    

   1. You probably don’t already have an Advanced Authentication Policy for your normal LDAP server.
   2. Change the Action Type to LDAP.
   3. Select your normal LDAP server, which is the one that has Authentication enabled.
   4. Enter true as the expression. This uses Default Syntax instead of Classic Syntax.
   5. Click Create.
      
7. Create another Authentication Policy.
   

    

   1. This policy is for OTP management so name it accordingly.
   2. Change the Action Type to LDAP.
   3. Select the Set OTP LDAP Server that has Authentication disabled and OTP Secret configured. This LDAP Action should not have the Search Filter configured.
   4. Enter HTTP.REQ.COOKIE.VALUE(“NSC_TASS”).EQ(“manageotp”) in the Expression box, and click Create.
      
8. Create another Authentication Policy.
   

    

   1. This policy is for OTP verification so name it accordingly.
   2. Change the Action Type to LDAP.
   3. Select the OTP Verification LDAP Server that has Authentication disabled and OTP Secret configured. This LDAP Action should have the Search Filter configured to prevent unenrolled users from authenticating.
   4. Enter true in the Expression box, and click Create.
      

Login Schemas

1. Go to Security > AAA – Application Traffic > Login Schema.
2. On the right, switch to the Profiles tab, and click Add.
   

    

   1. This is the single factor Login Schema for manageotp so name the Schema accordingly.
   2. Click the Edit icon.
      
   3. On the left, click the LoginSchema folder to open it.
      
   4. Scroll down, and click SingleAuthManageOTP.xml to highlight it.
      
   5. On the top right, click Select.
      
   6. Click Create.
      
3. Add another Login Schema profile.
   

    

   1. This Login Schema is for two-factor authentication to NetScaler Gateway so name it accordingly.
   2. Click the edit icon. Follow the same procedure as above, but this time select /LoginSchema/DualAuth.xml.
      
   3. Click More to reveal more options.
      
   4. Scroll down. In the Password Credential Index field, enter 1. This causes nFactor to save the user’s password into AAA Attribute #1, which we’ll use later in a Traffic Policy to Single Sign-on to StoreFront. If you don’t do this, then NetScaler Gateway will try to use the Passcode to authenticate to StoreFront, which obviously won’t work.
   5. Check the box next to Enable Single Sign On Credentials. Mark in the comments indicates that this checkbox is needed to Single Sign On to RDP Hosts.
   6. Click Create.
      
4. On the right, switch to the Policies tab.
   
5. Click Add to add a Login Schema policy.
   1. In the Profile field, select the Single Factor Manage OTP Login Schema Profile.
   2. Name the Login Schema Policy for OTP management.
   3. In the Rule field, enter the following. This ensures that this single factor Login Schema is only used if the user enters /manageotp, and if the user is on the internal network. You don’t want manageotp to be accessible externally, because it’s only protected by single factor authentication, and it’s too easy to add multiple devices.

      http.req.cookie.value("NSC_TASS").eq("manageotp") && client.IP.SRC.IN_SUBNET(10.2.0.0/16)

      • Stan Demburg at NetScaler Native OTP – Prevent Enrollment Of Additional Devices Externally at iRangers has a method of preventing external access to manageotp if the user already has a device enrolled.
      • Morten Kallesoee at n-Factor – restrictions on native OTP management restricts manageotp if the user already has a device enrolled.
   4. Click Create.
      
6. Create another Login Schema Policy.
   

    

   1. In the Profile field, select the dual factor Login Schema.
   2. Name the Login Schema to indicate dual factor authentication.
   3. In the Rule box, enter true.
   4. Click Create.
      

Authentication PolicyLabel

1. Go to Security > AAA – Application Traffic > Policies > Authentication > Advanced Policies > PolicyLabel.
2. On the right, click Add.
   
3. This PolicyLabel is for OTP management, and OTP verification, so name it accordingly.
4. In the Login Schema field, select LSCHEMA_INT, which means noschema.
5. Click Continue.
   
6. In the Policy Binding section, Click to select.
   
7. Click the radio button button next to the Manage OTP LDAP Policy that has authentication disabled, and OTP Secret configured. This one should have a policy expression that limits it to manageotp only. Click Select.
   
8. Click Bind.
   
9. Click Add Binding to add another one.
   
10. Click to select.
    
11. Click the radio button next to the LDAP Policy that verifies OTP. Click Select.
    
12. Click Bind.
    
13. Make sure the manageotp policy is higher in the list than the OTP Verification policy. To adjust priorities, right-click on the policies, and click Edit Binding. Click Done.
    

AAA vServer

1. Go to Security > AAA – Application Traffic.
   1. If the AAA feature is not enabled, then right-click the AAA node, and click Enable Feature.
      
2. Go to Security > AAA – Application Traffic > Virtual Servers.
3. On the right, click Add.
   
4. This AAA vServer is for OTP so name it accordingly.
5. Change the IP Address Type to Non Addressable.
6. Click OK.
   
7. Click where it says No Server Certificate.
   

    

   1. In the Server Certificate Binding section, click Click to select.
      
   2. Click the radio button next to a certificate, and click Select. You can use the same certificate as NetScaler Gateway.
      
   3. Click Bind.
      
8. Click Continue to close the Certificate section.
   
9. In the Advanced Authentication Policies section, click where it says No Authentication Policy.
   

    

   1. Click where it says Click to select.
      
   2. Click the radio button next to the normal LDAP Policy that has authentication enabled. Then click the blue Select button.
      
   3. In the Select Next Factor field, click where it says Click to select.
      
   4. Click the radio button next to the OTP PolicyLabel, and click Select.
      
   5. Click Bind.
      
10. In the Advanced Authentication Policies section, click Continue.
    
11. On the right, in the Advanced Settings column, click Login Schemas.
    
12. On the left, scroll down, and click where it says No Login Schema.
    

     

    1. Click where it says Click to select.
       
    2. Click the radio button next to the Manage OTP Login Schema, and click Select.
       
    3. Click Bind.
       
13. Click where it says 1 Login Schema.
    

     

    1. Click Add Binding.
       
    2. Click where it says Click to select.
       
    3. Click the radio button next to the dual factor Login Schema, and click Select.
       
    4. Click Bind.
       
    5. Make sure the single factor Manage OTP Login Schema is higher in the list (lower priority number) than the dual factor Login Schema. Click Close.
       
14. On the right, in the Advanced Settings column, click Portal Themes.
    
15. On the left, scroll down, select RfWebUI as the Portal Theme, and click OK.
    
16. Click Done.
    

Traffic Policy for Single Sign-on

1. On the left, go to NetScaler Gateway > Policies > Traffic.
2. On the right, switch to the Traffic Profiles tab, and click Add.
   
3. This Traffic Profile is for OTP and/or nFactor. Name it accordingly.
4. Scroll down.
   
5. In the SSO Password Expression box, enter the following. This is where we use the Login Schema Password Attribute specified earlier.

   http.REQ.USER.ATTRIBUTE(1)

6. Click Create.
   
7. On the right, switch to the Traffic Policies tab, and click Add.
   
8. In the Request Profile field, select the Traffic Profile you just created.
9. Name the Traffic Policy.
10. In the Expression box, enter true (Default Syntax).
    • If your NetScaler Gateway Virtual Server allows full VPN, change the expression to the following. Source = Julien Mooren at NetScaler – Native OTP is breaking SSL VPN.

      http.req.method.eq(post)||http.req.method.eq(get) && false

11. Click Create.
    

NetScaler Gateway and Authentication Profile

1. Go to NetScaler Gateway > Virtual Servers.
2. Edit an existing Gateway vServer. If you don’t have one, see the other NetScaler Gateway topics on this site.
   
3. Scroll down to the Policies section, and click the plus icon.
   
4. Change the Choose Policy drop-down to Traffic, and click Continue.
   
5. Click to select.
   
6. Click the radio button next to the Traffic Policy you created earlier, and click Select.
   
7. Click Bind.
   
8. On the right, in the Advanced Settings column, click Authentication Profile.
   
9. On the left, scroll down to the Authentication Profile section.
10. Click Add to create one.
    
11. Authentication Profile links the NetScaler Gateway vServer with the OTP AAA vServer, so name it accordingly.
12. In the Authentication Virtual Server section, Click to select.
    
13. Click the radio button next to the OTP AAA vServer, and click Select.
    
14. Click Create.
    
15. Scroll down again to the Authentication Profile section, and click OK.
    
16. The Portal Theme bound to the Gateway vServer should be RfWebUI, or a derivative.
    
17. Go to System > Profiles.
18. On the right, switch to the SSL Profile tab.
19. Edit the ns_default_ssl_profile_frontend profile.
    
20. Make sure HSTS is not enabled in the profile, or RfWebUI, and manageotp won’t work correctly. This is probably a bug. Note: the Rewrite method of enabling HSTS should work.
    

Update Content Switching Expression for Unified Gateway

If your NetScaler Gateway Virtual Server is behind a Unified Gateway (Content Switching Virtual Server), then you must update the Content Switching Expression to include the manageotp paths.

1. In the NetScaler GUI, navigate to Configuration> Traffic Management > Content Switching > Policies.
2. On the right, select the Unified Gateway Content Switching Policy, and then click Edit.
3. Append the following expression under the Expression area, and then click OK.

   || HTTP.REQ.URL.CONTAINS("/manageotp")

Manageotp

1. Point your browser to https://mygateway.corp.com/manageotp or similar. Simply add /manageotp to the end of your Gateway URL.
   
2. Notice it’s only single-factor authentication. Login using normal LDAP credentials.
   
3. Click Add Device.
   
4. Enter a device name, and click Go.
   
5. Launch the Google Authenticator application on your phone. Click the plus icon in Google Authenticator, and scan the QRCode that is shown on the screen.
6. Christian in the comments indicated that Microsoft Authenticator also works. Click on plus sign -> other (Google,…).
   
7. Click Test.
   
8. Enter the passcode shown in your Authenticator, and click Go.
   
9. If you logoff of manageotp, and access your Gateway URL normally, you’ll be prompted for two-factor authentication. Use the passcodes shown in your Google Authenticator application.
   
10. It should Single Sign-on into StoreFront.
    

官方链接：Native One Time Passwords (OTP) – NetScaler Gateway 12 / Citrix Gateway 12.1 – Carl Stalhood