With the native OTP solution in NetScaler, the default setting is that users can add/delete devices in whatever pace that they feel like.
However, seen from a security perspective this is not always ideal, so if the username / password is compromised, a unauthorized person could login to the management and add an additional device to use during the login page.
One way would be to add an ip check on the management page, this is good for users that come into the office, another way would simply only to allow the user to add a device(s) once and all future reconfiguration of OTP allowed devices would require an administrator to clear the attribute in AD.
In the example below, the attribute used for storing the allowed otp devices is “userParameters”
Update the ldapAction:
Set ldapAction <name> -Attribute1 userParameters
This will extract the contents of userParameters and save it in attribute1
Create a Auth policy that takes use of this
add authentication Policy AUTHPOL_check_otp_is_set -rule “AAA.USER.ATTRIBUTE(1).LENGTH.GE(4)” -action NO_AUTHN
There might be a more delicate way of checking if the attribute is containing something of value, but this works.
Now bind the policy and point to a nextFactor that displays an error the user can understand.
bind authentication policylabel AUTHPOLLABEL_int_verify_otp -policyName AUTHPOL_check_otp_is_set -priority 80 -gotoPriorityExpression NEXT -nextFactor AUTHPOLLABEL_OTP_is_set
The policy label does not contain any policy bindings, it will just display an message to the user that explains the situation.