With the native OTP solution in NetScaler, the default setting is that users can add/delete devices in whatever pace that they feel like.
However, seen from a security perspective this is not always ideal, so if the username / password is compromised, a unauthorized person could login to the management and add an additional device to use during the login page.
One way would be to add an ip check on the management page, this is good for users that come into the office, another way would simply only to allow the user to add a device(s) once and all future reconfiguration of OTP allowed devices would require an administrator to clear the attribute in AD.
In the example below, the attribute used for storing the allowed otp devices is “userParameters”
Update the ldapAction:
Set ldapAction <name> -Attribute1 userParameters
This will extract the contents of userParameters and save it in attribute1
Create a Auth policy that takes use of this
add authentication Policy AUTHPOL_check_otp_is_set -rule “AAA.USER.ATTRIBUTE(1).LENGTH.GE(4)” -action NO_AUTHN
There might be a more delicate way of checking if the attribute is containing something of value, but this works.
Now bind the policy and point to a nextFactor that displays an error the user can understand.
bind authentication policylabel AUTHPOLLABEL_int_verify_otp -policyName AUTHPOL_check_otp_is_set -priority 80 -gotoPriorityExpression NEXT -nextFactor AUTHPOLLABEL_OTP_is_set
The policy label does not contain any policy bindings, it will just display an message to the user that explains the situation.
Hi, i have follow the article from Carl STALHOOD ( https://www.carlstalhood.com/netscaler-gateway-12-native-one-time-passwords-otp/#comments) and i would like to add your solution for protect the /manageotp if user have already enrool 1 device.
I have create the ldapaction, the authpolicy check and i Don’t understand where i need to add the authentification policylabel ?
Could you help me please, it’s realy my final perfect solution
I followed Carl’s guide:
https://www.carlstalhood.com/nfactor-authentication-for-netscaler-gateway-12/
I got this working by binding the “OTP_Check Authentication Policy” AAA.USER.ATTRIBUTE(1).LENGTH.GE(4) – (NOAUTHN) to the existing Authentication Policy Label at a higher precedence (lower number)
100 – adv_auth_pol_LDAP_OTP_Check – AAA.USER.ATTRIBUTE(1).LENGTH.GE(4) – NOAUTHN – NEXT
110 – adv_auth_pol_LDAP_OTP_Manage – HTTP.REQ.COOKIE.VALUE(“NSC_TASS”).EQ(“manageotp”) – LDAPS – NEXT
120 adv_auth_pol_LDAP_OTP_Verify –
true – LDAPS_Verify – NEXT
I was able to get a more consistent experience by creating 2 additional Authentication Policy Labels that included the respective LDAP auth policies for Mgmt and Verify. The then created 2 additional NO_AUTHN polices, one for Mgmt and Verify. I then modified the first Authentication Policy Label to use the NO_AUTHN policies with a Next Factor of the additional Authentication Policy Labels created that contain the LDAP auth policies.
I also updated the expression that queries the user attribute to AAA.USER.ATTRIBUTE(1).CONTAINS(“#@”).NOT
great article. Another way around to get it done can be found on http://era1987.blogspot.com/2020/04/native-one-time-passwords-otp-citrix.html?m=1
Wow, i thought there was some magic hidden in that string, its really just random chars? great 🙂 remember that it is encrypted in newer versions.
Which LDAP action I need to set Attribute1 as there are 2 ldap actions created.
1. Auth enabled
2. Manage OTP
3. Verify OTP
the one that “pulls” data from the users initially, in other words – the first ldap action