in AppExpert, Customization, NetScaler, Unified Gateway

n-Factor – restrictions on native OTP management

With the native OTP solution in NetScaler, the default setting is that users can add/delete devices in whatever pace that they feel like.

However, seen from a security perspective this is not always ideal, so if the username / password is compromised, a unauthorized person could login to the management and add an additional device to use during the login page.

One way would be to add an ip check on the management page, this is good for users that come into the office, another way would simply only to allow the user to add a device(s) once and all future reconfiguration of OTP allowed devices would require an administrator to clear the attribute in AD.

In the example below, the attribute used for storing the allowed otp devices is “userParameters”

Update the ldapAction:

Set ldapAction <name> -Attribute1 userParameters

This will extract the contents of userParameters and save it in attribute1

Create a Auth policy that takes use of this

add authentication Policy AUTHPOL_check_otp_is_set -rule “AAA.USER.ATTRIBUTE(1).LENGTH.GE(4)” -action NO_AUTHN

There might be a more delicate way of checking if the attribute is containing something of value, but this works.

Now bind the policy and point to a nextFactor that displays an error the user can understand.

bind authentication policylabel AUTHPOLLABEL_int_verify_otp -policyName AUTHPOL_check_otp_is_set -priority 80 -gotoPriorityExpression NEXT -nextFactor AUTHPOLLABEL_OTP_is_set

The policy label does not contain any policy bindings, it will just display an message to the user that explains the situation.

What do you think?



  • Detailed Change Log – Carl Stalhood

    […] Citrix ADC Native OTP – Login Schemas – added link to Morten Kallesoee n-Factor – restrictions on native OTP management […]

  • Native One Time Passwords (OTP) – NetScaler Gateway 12 / Citrix Gateway 12.1 – Carl Stalhood

    […] 2019 Feb 4 – Login Schemas – added link to Morten Kallesoee n-Factor – restrictions on native OTP management […]