in AppExpert, Customization, NetScaler, Unified Gateway

n-Factor – restrictions on native OTP management

With the native OTP solution in NetScaler, the default setting is that users can add/delete devices in whatever pace that they feel like.

However, seen from a security perspective this is not always ideal, so if the username / password is compromised, a unauthorized person could login to the management and add an additional device to use during the login page.

One way would be to add an ip check on the management page, this is good for users that come into the office, another way would simply only to allow the user to add a device(s) once and all future reconfiguration of OTP allowed devices would require an administrator to clear the attribute in AD.

In the example below, the attribute used for storing the allowed otp devices is “userParameters”

Update the ldapAction:

Set ldapAction <name> -Attribute1 userParameters

This will extract the contents of userParameters and save it in attribute1

Create a Auth policy that takes use of this

add authentication Policy AUTHPOL_check_otp_is_set -rule “AAA.USER.ATTRIBUTE(1).LENGTH.GE(4)” -action NO_AUTHN

There might be a more delicate way of checking if the attribute is containing something of value, but this works.

Now bind the policy and point to a nextFactor that displays an error the user can understand.

bind authentication policylabel AUTHPOLLABEL_int_verify_otp -policyName AUTHPOL_check_otp_is_set -priority 80 -gotoPriorityExpression NEXT -nextFactor AUTHPOLLABEL_OTP_is_set

The policy label does not contain any policy bindings, it will just display an message to the user that explains the situation.

What do you think?


    • I followed Carl’s guide:

      I got this working by binding the “OTP_Check Authentication Policy” AAA.USER.ATTRIBUTE(1).LENGTH.GE(4) – (NOAUTHN) to the existing Authentication Policy Label at a higher precedence (lower number)

      100 – adv_auth_pol_LDAP_OTP_Check – AAA.USER.ATTRIBUTE(1).LENGTH.GE(4) – NOAUTHN – NEXT

      110 – adv_auth_pol_LDAP_OTP_Manage – HTTP.REQ.COOKIE.VALUE(“NSC_TASS”).EQ(“manageotp”) – LDAPS – NEXT

      120 adv_auth_pol_LDAP_OTP_Verify –
      true – LDAPS_Verify – NEXT

      • I was able to get a more consistent experience by creating 2 additional Authentication Policy Labels that included the respective LDAP auth policies for Mgmt and Verify. The then created 2 additional NO_AUTHN polices, one for Mgmt and Verify. I then modified the first Authentication Policy Label to use the NO_AUTHN policies with a Next Factor of the additional Authentication Policy Labels created that contain the LDAP auth policies.
        I also updated the expression that queries the user attribute to AAA.USER.ATTRIBUTE(1).CONTAINS(“#@”).NOT

    • Wow, i thought there was some magic hidden in that string, its really just random chars? great 🙂 remember that it is encrypted in newer versions.

  1. Which LDAP action I need to set Attribute1 as there are 2 ldap actions created.
    1. Auth enabled
    2. Manage OTP
    3. Verify OTP


  • Detailed Change Log – Carl Stalhood June 22, 2020

    […] Citrix ADC Native OTP – Login Schemas – added link to Morten Kallesoee n-Factor – restrictions on native OTP management […]

  • Native One Time Passwords (OTP) – NetScaler Gateway 12 / Citrix Gateway 12.1 – Carl Stalhood June 22, 2020

    […] 2019 Feb 4 – Login Schemas – added link to Morten Kallesoee n-Factor – restrictions on native OTP management […]