Citrix Plugin

Introduction

Acceptto’s multi-factor authentication technology can be used with NetScaler Gateway to improve the security of NetScaler logins.

Prerequisites

To use Acceptto’s multi-factor authentication with Citrix NetScaler, you must have a working instance of NetScaler 12, access to one or more Microsoft Active Directory Domain controllers or a similar LDAP based directory server, and a Debian Linux server in order to run an instance of FreeRADIUS.

In this document we are using Microsoft Active Directory; if you use a different directory server please check the documentation for more information. Finally you will need a server running Debian Linux in order to run FreeRADIUS.

Overview of requirements

Active Directory or LDAP based directory server with:

  1. A user account with privileges to inspect your LDAP structure.
  2. An unprivileged user that will be used by FreeRADIUS to perform LDAP queries.

A server running Debian Linux with:

  1. A physical or virtual host with a minimum: 1 CPU, 2GB of RAM, and 20GB of disk space
  2. A Linux user for this machine that is a member of the sudoers group
  3. FreeRADIUS 3.0.12 or greater installed.
  4. Perl version 5 installed along with the modules WWW::Curl::Easy and JSON
  5. A copy of the perl script acceptto.pl

A Citrix NetScaler appliance running NetScaler 12 with:

  1. A Citrix user with enough privileges to configure Authentication Servers.

Acceptto account with:

  1. An application UID and secret
Register for an Acceptto Account

Before you continue, you must register for an Acceptto account by following these steps:

  1. Sign up for an Acceptto account
  2. Login to the user dashboard from the Acceptto homepage
  3. Select the Applications page link then click the “New Application” button
  4. On the New Application page, fill in the name and redirect url for your application and click save, creating your UID and Secret
  5. Save your UID and Secret as these are used in the sections below. See Setting Up for help.


Configure FreeRADIUS

In this step you will configure FreeRADIUS on a server running Debian Linux. If an existing FreeRADIUS server is being used you can skip the installation step; however, you must install Perl and extension modules as Perl is required to execute the script connecting the RADIUS Server to the Acceptto API.

Note: In Debian, the FreeRADIUS base directory is located at /etc/freeradius/3.0. We will be referring to this location as raddb in the steps below, to maintain alignment with the FreeRADIUS documentation.

Install freeRADIUS and Perl
  1. Install freeRADIUS by using the following command:
  2. $ apt-get install freeradius curl freeradius-ldap
  3. Install Perl using the command:
  4. $ apt-get install perl
  5. Install the Perl modules WWW::Curl::Easy and JSON, using the following command:
  6. $ cpan WWW::Curl::Easy JSON
RADIUS Configuration
  1. Locate the radius daemon configuration file at /etc/raddb/radiusd.conf
  2. Verify that the following lines are uncommented:
    policy {
        $ INCLUDE policy.d/
        }
        $ INCLUDE sites-enabled/
    
  1. Copy the file raddb/mods-available/ldap to raddb/mods-enabled/ldap
  2. Edit the file and locate the section that begins with server =, add the following:
  3. server = Your LDAP Server IP Address OR Hostname
          identity = A USER DN that is going to authenticate to Active Directory for example ‘cn=ldapuser, dc=example, dc=net’.
          password = The password that is going to used between RADIUS and LDAP Server to authenticate RADIUS requests
          base_dn = This configures where the LDAP search begins, for example if your domain is example.net and all your users
           are members of the users group, then your dn would look similar to: ‘cn=users,dc=example,dc’.
          filter = The filter uses RFC2254 based syntax to include LDAP objects of interest. For example, if you only want
           users to be used for LDAP matching, then your filter would look similar to: "(&(objectclass=user)(objectcategory=user)(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}))".
         
  4. Edit the file raddb/mods-config/files/authorize and add the following sections:
  5. DEFAULT LDAP-Group == "cn=users,dc=example,dc=net"
          DEFAULT Auth-Type := Accept
  6. Copy the file raddb/mods-available/perl to raddb/mods-enabled/perland edit this file
  7. Locate the section that begins with perl { and add the following:
  8. filename = ${modconfdir}/${.:instance}/acceptto.pl
  9. Copy the acceptto.pl file to raddb/mods-config/perl/acceptto.pl
  10. Set the variable my $uid to the value of the UID that you obtained from the Acceptto Dashboard.
  11. Set the variable my $secret to the value of the Secret that you obtained from the Acceptto Dashboard.
  12. Optionally set the variable $message to a string that will identify what type of request your users are receiving.
  13. Ensure that the acceppto.pl is executable by executing the command:
  14. $ chmod +x raddb/mods-config/perl/acceptto.pl
  15. Edit the file raddb/clients.conf   and add the following section:
  16. client netscaler {
            ipaddr = IP Address of the NetScaler
            secret = The shared secret between RADIUS and NetScaler
            }
  17. Restart the RADIUS Server (for example use: $ systemctl restart freeradius.service) and test the installation using radtest:
  18. $ radtest ldapuser ldapuserpassword 127.0.0.1 0 The shared secret between NetScaler and RADIUS

If your RADIUS configuration is successful you will get an alert on your mobile device asking to authorize the login and RADIUS should return a message like:

    Received Access-Accept Id XY from 127.0.0.1:1812 to 0.0.0.0: length Z
    
Setup NetScaler
Add RADIUS Server

Login to the NetScaler and navigate to NetScaler Gateway > Policies > Authentication > RADIUS > Servers

  1. Add a new Server by selecting "Add".
  2. In the Name parameter give the server a memorable name.
  3. Select Server Name if you want to configure the RADIUS connection using DNS or Server IP if you prefer to configure the connection using IP Address.
  4. Type in the Secret Key (See step 6 of FreeRADIUS Configuration)
  5. Re-enter the Secret Key.
  6. Set the timeout to, at least, 60 seconds; the default is 3 seconds which will not give you enough time to unlock your mobile application and authorize the request.
  7. Select Test Connection.
  8. A text similar to:
  9. Server ‘RADIUS IP Address’ is reachable.
        Port ‘1812/udp’ is open.
        ‘RADIUS IP address’
        RADIUS client and RADIUS authentication port are properly configured.
      
Configure Unified Gateway
  1. Navigate to Unified Gateway > Create New Gateway or Unified Gateway > Get Started

  2. Select Continue then enter a memorable name in the Name section and fill in the public Unified Gateway IP Address field with an IP address that has not been previously allocated.
  3. Select either Use existing certificate or Install Certificate and Continue.
  4. In the Authentication section select RADIUS and select Use existing server to use the RADIUS that was configured in step 2 of this section. Select Continue.
  5. Select a portal theme and select Continue.
  6. Close the Unified Gateway configuration page.
Test NetScaler Login
  1. In a separate browser window, open the newly configured IP - for example https://mynewgateway
  2. Login using a valid Active Directory username and password; the login sequence will pause.
  3. A notification requesting authorization will appear on your mobile device; once you approve the request, the Citrix NetScaler webpage will be redirected to your enterprise resources.
Support

If you require assistance, please email us at support@acceptto.com