DIGIPASS Authentication for Citrix NetScaler (with AGEE) - Vasco
DIGIPASS Authentication for Citrix NetScaler (with AGEE) - Vasco
DIGIPASS Authentication for Citrix NetScaler (with AGEE) - Vasco
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
INTEGRATION GUIDE<br />
<strong>DIGIPASS</strong> <strong>Authentication</strong> <strong>for</strong><br />
<strong>Citrix</strong> <strong>NetScaler</strong> (<strong>with</strong> <strong>AGEE</strong>)
Disclaimer<br />
Disclaimer of Warranties and Limitation of Liabilities<br />
1 <strong>DIGIPASS</strong> <strong>Authentication</strong> <strong>for</strong> <strong>NetScaler</strong> (<strong>with</strong> CAG)<br />
<strong>DIGIPASS</strong> <strong>Authentication</strong> <strong>for</strong> <strong>NetScaler</strong> (<strong>with</strong> CAG)<br />
All in<strong>for</strong>mation contained in this document is provided 'as is'; VASCO Data Security assumes no<br />
responsibility <strong>for</strong> its accuracy and/or completeness.<br />
In no event will VASCO Data Security be liable <strong>for</strong> damages arising directly or indirectly from any<br />
use of the in<strong>for</strong>mation contained in this document.<br />
Copyright<br />
Copyright © 2012 VASCO Data Security, Inc, VASCO Data Security International GmbH. All<br />
rights reserved. VASCO ® , Vacman ® , IDENTIKEY ® , aXsGUARD, <strong>DIGIPASS</strong> ® and ® logo<br />
are registered or unregistered trademarks of VASCO Data Security, Inc. and/or VASCO Data<br />
Security International GmbH in the U.S. and other countries. VASCO Data Security, Inc.<br />
and/or VASCO Data Security International GmbH own or are licensed under all title, rights and<br />
interest in VASCO Products, updates and upgrades thereof, including copyrights, patent<br />
rights, trade secret rights, mask work rights, database rights and all other intellectual and<br />
industrial property rights in the U.S. and other countries. Microsoft and Windows are<br />
trademarks or registered trademarks of Microsoft Corporation. Other names may be<br />
trademarks of their respective owners.
Table of Contents<br />
2 <strong>DIGIPASS</strong> <strong>Authentication</strong> <strong>for</strong> <strong>NetScaler</strong> (<strong>with</strong> CAG)<br />
<strong>DIGIPASS</strong> <strong>Authentication</strong> <strong>for</strong> <strong>NetScaler</strong> (<strong>with</strong> CAG)<br />
Reference guide ............................................................................................................. 4<br />
1 Overview................................................................................................................... 5<br />
2 Technical Concepts ................................................................................................... 6<br />
2.1 <strong>Citrix</strong> ................................................................................................................... 6<br />
2.1.1 <strong>NetScaler</strong> ....................................................................................................... 6<br />
2.1.2 Access Gateway Enterprise Edition .................................................................... 6<br />
2.1.3 Web Interface ................................................................................................. 6<br />
2.2 VASCO ................................................................................................................. 6<br />
2.2.1 IDENTIKEY <strong>Authentication</strong> server ...................................................................... 6<br />
3 <strong>Citrix</strong> setup ............................................................................................................... 7<br />
3.1 Architecture .......................................................................................................... 7<br />
3.2 Prerequisites ......................................................................................................... 7<br />
3.3 <strong>Citrix</strong> ................................................................................................................... 7<br />
3.3.1 Access Gateway .............................................................................................. 7<br />
3.3.1.1 Policies .................................................................................................... 7<br />
3.3.1.2 Virtual Servers ........................................................................................ 11<br />
3.3.1.3 Groups .................................................................................................. 12<br />
3.4 Test the setup .................................................................................................... 14<br />
4 <strong>Citrix</strong> Receiver on mobile ........................................................................................ 15<br />
4.1 Architecture ........................................................................................................ 15<br />
4.2 Prerequisites ....................................................................................................... 15<br />
4.3 <strong>Citrix</strong> ................................................................................................................. 15<br />
4.3.1 Access Gateway ............................................................................................ 15<br />
4.3.1.1 Policies .................................................................................................. 15<br />
4.3.1.2 Virtual Servers ........................................................................................ 18<br />
4.4 Test ................................................................................................................... 19
3 <strong>DIGIPASS</strong> <strong>Authentication</strong> <strong>for</strong> <strong>NetScaler</strong> (<strong>with</strong> CAG)<br />
<strong>DIGIPASS</strong> <strong>Authentication</strong> <strong>for</strong> <strong>NetScaler</strong> (<strong>with</strong> CAG)<br />
5 Solution .................................................................................................................. 22<br />
5.1 Architecture ........................................................................................................ 22<br />
5.2 <strong>Citrix</strong> ................................................................................................................. 22<br />
5.2.1 Access Gateway ............................................................................................ 22<br />
5.2.1.1 Policies .................................................................................................. 22<br />
5.2.1.2 Virtual Servers ........................................................................................ 25<br />
5.3 IDENTIKEY <strong>Authentication</strong> Server .......................................................................... 26<br />
5.3.1 Policies ........................................................................................................ 27<br />
5.3.2 Client .......................................................................................................... 28<br />
5.3.3 User ............................................................................................................ 29<br />
5.3.4 <strong>DIGIPASS</strong> .................................................................................................... 29<br />
5.4 Test the Solution ................................................................................................. 31<br />
5.4.1 With the browser .......................................................................................... 31<br />
5.4.2 With <strong>Citrix</strong> Receiver ....................................................................................... 31<br />
6 FAQ ......................................................................................................................... 34<br />
7 Appendix ................................................................................................................. 34
Reference guide<br />
4 <strong>DIGIPASS</strong> <strong>Authentication</strong> <strong>for</strong> <strong>NetScaler</strong> (<strong>with</strong> CAG)<br />
<strong>DIGIPASS</strong> <strong>Authentication</strong> <strong>for</strong> <strong>NetScaler</strong> (<strong>with</strong> CAG)<br />
ID Title Author Publisher Date ISBN
1 Overview<br />
5 <strong>DIGIPASS</strong> <strong>Authentication</strong> <strong>for</strong> <strong>NetScaler</strong> (<strong>with</strong> CAG)<br />
<strong>DIGIPASS</strong> <strong>Authentication</strong> <strong>for</strong> <strong>NetScaler</strong> (<strong>with</strong> CAG)<br />
This whitepaper describes how to configure a <strong>Citrix</strong> <strong>NetScaler</strong> <strong>with</strong> <strong>Citrix</strong> Access Gateway<br />
Enterprise Edition (<strong>AGEE</strong>) in combination <strong>with</strong> the VASCO IDENTIKEY AUTHENTICATION Server.<br />
That way an extra security layer can be added to the SSL VPN solution the CITRIX <strong>AGEE</strong> provides.<br />
Netscaler<br />
<strong>Authentication</strong><br />
Servers<br />
XenApp<br />
XenDesktop
2 Technical Concepts<br />
2.1 <strong>Citrix</strong><br />
2.1.1 <strong>NetScaler</strong><br />
6 <strong>DIGIPASS</strong> <strong>Authentication</strong> <strong>for</strong> <strong>NetScaler</strong> (<strong>with</strong> CAG)<br />
<strong>DIGIPASS</strong> <strong>Authentication</strong> <strong>for</strong> <strong>NetScaler</strong> (<strong>with</strong> CAG)<br />
<strong>Citrix</strong> <strong>NetScaler</strong> makes apps and cloud-based services run five times better by offloading<br />
application and database servers, accelerating application and service per<strong>for</strong>mance, and<br />
integrating security. Deployed in front of web and database servers, <strong>NetScaler</strong> combines highspeed<br />
load balancing and content switching, data compression, content caching, SSL acceleration,<br />
network optimization, application visibility and application security on a single, comprehensive<br />
plat<strong>for</strong>m.<br />
2.1.2 Access Gateway Enterprise Edition<br />
<strong>Citrix</strong> Access Gateway Enterprise Edition (<strong>AGEE</strong>) is a secure application access solution that<br />
provides administrators granular application-level control while empowering users <strong>with</strong> remote<br />
access from anywhere. It gives IT administrators a single point to manage access control and<br />
limit actions <strong>with</strong>in sessions based on both user identity and the endpoint device, providing better<br />
application security, data protection, and compliance management.<br />
2.1.3 Web Interface<br />
The <strong>Citrix</strong> Web Interface provides users <strong>with</strong> access to XenApp applications and content and<br />
XenDesktop virtual desktops. Users access their resources through a standard Web browser or<br />
through the <strong>Citrix</strong> online plug-in.<br />
2.2 VASCO<br />
2.2.1 IDENTIKEY <strong>Authentication</strong> server<br />
IDENTIKEY <strong>Authentication</strong> Server is an off-the-shelf centralized authentication server that<br />
supports the deployment, use and administration of <strong>DIGIPASS</strong> strong user authentication. It<br />
offers complete functionality and management features <strong>with</strong>out the need <strong>for</strong> significant budgetary<br />
or personnel investments.<br />
IDENTIKEY <strong>Authentication</strong> Server Server is supported on 32bit systems as well as on 64bit<br />
systems.
3 <strong>Citrix</strong> setup<br />
7 <strong>DIGIPASS</strong> <strong>Authentication</strong> <strong>for</strong> <strong>NetScaler</strong> (<strong>with</strong> CAG)<br />
<strong>DIGIPASS</strong> <strong>Authentication</strong> <strong>for</strong> <strong>NetScaler</strong> (<strong>with</strong> CAG)<br />
Be<strong>for</strong>e adding 2 factor authentication it is important to validate a standard configuration <strong>with</strong>out<br />
One Time Password (OTP).<br />
3.1 Architecture<br />
Virtual server<br />
IP 10.4.0.204<br />
LDAP<br />
IP:10.4.0.10<br />
<strong>Authentication</strong><br />
Servers<br />
<strong>NetScaler</strong> <strong>with</strong> Access Gateway<br />
Enterprise Edition<br />
IP: 10.4.0.206<br />
Domain: labs.vasco.com (LABS)<br />
<strong>Citrix</strong> Web<br />
Interface<br />
IP:10.4.0.201<br />
XenApp<br />
XenDesktop<br />
IP:10.4.0.202<br />
When a user connects trough the CITRIX <strong>AGEE</strong>, it will be asked to authenticate. The<br />
authentication will be per<strong>for</strong>med, using Active Directory via LDAP. If the authentication is<br />
successful, the user is logged in on the <strong>Citrix</strong> Web Interface where he can access the XenApp en<br />
XenDesktop nodes.<br />
3.2 Prerequisites<br />
To the <strong>Citrix</strong> installation there are many components that can and need to be configured. For this<br />
white paper we are going to concentrate on the <strong>NetScaler</strong> and CITRIX <strong>AGEE</strong>.<br />
In order <strong>for</strong> this set-up to work, a <strong>Citrix</strong> Web Interface needs to be created:<br />
http://10.4.0.202/<strong>Citrix</strong>/XenAppCAG<br />
3.3 <strong>Citrix</strong><br />
Log in to the <strong>NetScaler</strong> by browsing to 10.4.0.206<br />
3.3.1 Access Gateway<br />
3.3.1.1 Policies<br />
Policies are used to define components that will be used to create a virtual server.<br />
3.3.1.1.1 <strong>Authentication</strong> Server<br />
An authentication policy will be created to enable LDAP/Active Directory authentication.
Open the <strong>Authentication</strong> tree item<br />
Select the Servers Tab<br />
Click Add…<br />
8 <strong>DIGIPASS</strong> <strong>Authentication</strong> <strong>for</strong> <strong>NetScaler</strong> (<strong>with</strong> CAG)<br />
<strong>DIGIPASS</strong> <strong>Authentication</strong> <strong>for</strong> <strong>NetScaler</strong> (<strong>with</strong> CAG)<br />
• Name: authsrv_ad<br />
• <strong>Authentication</strong> Type: LDAP<br />
• IP Address: 10.4.0.10<br />
• Port: 389<br />
• Time-out (seconds): 3<br />
• Base DN: DC=labs,DC=vasco,DC=com<br />
• Administrator Bind DN: CN=citrix_admin,CN=Users,DC=labs,DC=vasco,DC=com<br />
• Administrator Password: password of the administrator user<br />
• Server Logon Name Attribute: samAccountName<br />
• Group Attribute: memberOf<br />
• Sub Attribute Name: CN<br />
• Secure Type: PLAINTEXT<br />
• Check <strong>Authentication</strong><br />
• Check User Required<br />
Click Create<br />
3.3.1.1.2 <strong>Authentication</strong> Policy<br />
Select the Policies tab<br />
Click Add…
• Name: auth_ad<br />
• <strong>Authentication</strong> Type: LDAP<br />
• Server: authsrv_ad<br />
• Named Expression: General True Value<br />
• Click Add Expression<br />
Click Create<br />
3.3.1.1.3 Session Profiles<br />
Open the Session tree item<br />
Select the Profiles Tab<br />
Click Add…<br />
• Name: profile_publishedapps<br />
Go to Client Experience<br />
9 <strong>DIGIPASS</strong> <strong>Authentication</strong> <strong>for</strong> <strong>NetScaler</strong> (<strong>with</strong> CAG)<br />
<strong>DIGIPASS</strong> <strong>Authentication</strong> <strong>for</strong> <strong>NetScaler</strong> (<strong>with</strong> CAG)
• Check Single Sign-on to Web Applications<br />
Go to Published Applications tab<br />
10 <strong>DIGIPASS</strong> <strong>Authentication</strong> <strong>for</strong> <strong>NetScaler</strong> (<strong>with</strong> CAG)<br />
<strong>DIGIPASS</strong> <strong>Authentication</strong> <strong>for</strong> <strong>NetScaler</strong> (<strong>with</strong> CAG)<br />
• ICA Proxy: ON<br />
• Web Interface Address: http://10.4.0.202/<strong>Citrix</strong>/XenAppCAG/<br />
• Web Interface Portal Mode: NORMAL<br />
• Single Sign-on Domain: LABS<br />
Click Create<br />
3.3.1.1.4 Session Policy<br />
Select the Policies Tab<br />
Click Add…<br />
• Name: sess_icaproxy_nonmobile<br />
• Request Profile: profile_publishedapps<br />
• Named Expression: General True Value
Click Add Expression<br />
Click Create<br />
ns_true is general expression, which catches every call<br />
3.3.1.2 Virtual Servers<br />
Select the Virtual Servers tree item<br />
Click Add…<br />
• Name: citrix2-labs-vasco-com-<strong>AGEE</strong>auth<br />
• IP Address: 10.4.0.204<br />
• Port: 443<br />
• Max Users: 0<br />
• Select SmartAccess Mode<br />
• Check Enable Virtual Server<br />
11 <strong>DIGIPASS</strong> <strong>Authentication</strong> <strong>for</strong> <strong>NetScaler</strong> (<strong>with</strong> CAG)<br />
<strong>DIGIPASS</strong> <strong>Authentication</strong> <strong>for</strong> <strong>NetScaler</strong> (<strong>with</strong> CAG)<br />
The chosen IP Address needs to be a free IP Address in the subnet.<br />
Select Certificates tab<br />
• Select the Server certificate<br />
Click Add><br />
If the server certificate is not in the Certificates list click install… and add the needed<br />
server certificate.<br />
Select the <strong>Authentication</strong> tab
• Check Enable <strong>Authentication</strong><br />
• Click Insert Policy<br />
• Select auth_ad<br />
Select the Policies tab<br />
• Select Session<br />
Click Insert Policy<br />
• Select sess_icaproxy_nonmobile<br />
Click OK<br />
3.3.1.3 Groups<br />
12 <strong>DIGIPASS</strong> <strong>Authentication</strong> <strong>for</strong> <strong>NetScaler</strong> (<strong>with</strong> CAG)<br />
<strong>DIGIPASS</strong> <strong>Authentication</strong> <strong>for</strong> <strong>NetScaler</strong> (<strong>with</strong> CAG)<br />
Groups are used to apply authorization and session policies, create bookmarks and specify<br />
applications.<br />
User groups are created locally on the <strong>Citrix</strong> <strong>NetScaler</strong>. When an external authentication method<br />
is used, like Active Directory, the User group from the external authentication will be mapped to<br />
the local group on the <strong>Citrix</strong> <strong>NetScaler</strong>.
13 <strong>DIGIPASS</strong> <strong>Authentication</strong> <strong>for</strong> <strong>NetScaler</strong> (<strong>with</strong> CAG)<br />
<strong>DIGIPASS</strong> <strong>Authentication</strong> <strong>for</strong> <strong>NetScaler</strong> (<strong>with</strong> CAG)<br />
For example: On the <strong>Citrix</strong> <strong>NetScaler</strong> a group “<strong>Citrix</strong>” is created. Active Directory is used as an<br />
external authentication method. Then a group needs to be created on Active Directory <strong>with</strong> the<br />
name “<strong>Citrix</strong>”. The user that wants to be authenticated needs to be a member of the “<strong>Citrix</strong>”<br />
group on Active Directory.<br />
Click Add…<br />
Go to tab Authorization<br />
• Group Name: <strong>Citrix</strong><br />
Click Insert Policy<br />
• Select New Policy…
• Name: <strong>Vasco</strong>Allow<br />
• Action: ALLOW<br />
• Named Expressions: General True value<br />
Click Add Expression<br />
Click Create<br />
Click Create<br />
3.4 Test the setup<br />
Open a browser and browse to https://10.4.0.204<br />
• User name: Demo<br />
• Static Password: Test12345<br />
Click Log On<br />
14 <strong>DIGIPASS</strong> <strong>Authentication</strong> <strong>for</strong> <strong>NetScaler</strong> (<strong>with</strong> CAG)<br />
<strong>DIGIPASS</strong> <strong>Authentication</strong> <strong>for</strong> <strong>NetScaler</strong> (<strong>with</strong> CAG)<br />
This user needs to be created in the active directory and must be a member of the group<br />
<strong>Citrix</strong>
15 <strong>DIGIPASS</strong> <strong>Authentication</strong> <strong>for</strong> <strong>NetScaler</strong> (<strong>with</strong> CAG)<br />
<strong>DIGIPASS</strong> <strong>Authentication</strong> <strong>for</strong> <strong>NetScaler</strong> (<strong>with</strong> CAG)<br />
4 <strong>Citrix</strong> Receiver on mobile<br />
In order to use <strong>Citrix</strong> Receiver on a mobile device, the first setup (<strong>Citrix</strong> Setup) will be altered.<br />
4.1 Architecture<br />
4.2 Prerequisites<br />
<strong>NetScaler</strong> <strong>with</strong> Access Gateway<br />
Enterprise Edition<br />
IP: 10.4.0.206 XenApp<br />
Domain: labs.vasco.com (LABS)<br />
LDAP<br />
IP:10.4.0.10<br />
<strong>Authentication</strong><br />
Servers<br />
<strong>Citrix</strong> Web<br />
Interface<br />
IP:10.4.0.201<br />
Mobile devices connect to the <strong>Citrix</strong> environment by using a Service Site. The Service Site<br />
provides the in<strong>for</strong>mation about the publication <strong>for</strong> mobile devices.<br />
Create a Service Site on the Web Interface server:<br />
http://10.4.0.202/<strong>Citrix</strong>/PNAgent<br />
4.3 <strong>Citrix</strong><br />
4.3.1 Access Gateway<br />
4.3.1.1 Policies<br />
4.3.1.1.1 Session Profiles<br />
Open the Session tree item<br />
Select the Profiles Tab<br />
Click Add…<br />
• Name: profile_mobiledevices<br />
XenDesktop<br />
IP:10.4.0.202
Go to Client Experience tab<br />
• Check Single Sign-on to Web Applications<br />
Go to Published Applications tab<br />
• ICA Proxy: ON<br />
16 <strong>DIGIPASS</strong> <strong>Authentication</strong> <strong>for</strong> <strong>NetScaler</strong> (<strong>with</strong> CAG)<br />
<strong>DIGIPASS</strong> <strong>Authentication</strong> <strong>for</strong> <strong>NetScaler</strong> (<strong>with</strong> CAG)
17 <strong>DIGIPASS</strong> <strong>Authentication</strong> <strong>for</strong> <strong>NetScaler</strong> (<strong>with</strong> CAG)<br />
<strong>DIGIPASS</strong> <strong>Authentication</strong> <strong>for</strong> <strong>NetScaler</strong> (<strong>with</strong> CAG)<br />
• Web Interface Address: http://10.4.0.202/<strong>Citrix</strong>/PNAgent/config.xml<br />
• Web Interface Portal Mode: NORMAL<br />
• Single Sign-on Domain: LABS<br />
Click Create<br />
4.3.1.1.2 Session Policies<br />
Select the Policies Tab<br />
Click Add…<br />
• Name: sess_icaproxy_mobiledev<br />
• Request Profile: profile_mobiledevices<br />
Click Add…
18 <strong>DIGIPASS</strong> <strong>Authentication</strong> <strong>for</strong> <strong>NetScaler</strong> (<strong>with</strong> CAG)<br />
<strong>DIGIPASS</strong> <strong>Authentication</strong> <strong>for</strong> <strong>NetScaler</strong> (<strong>with</strong> CAG)<br />
A number of different expressions must be added <strong>for</strong> this policy. The following table provides a<br />
summary of the values<br />
For <strong>Citrix</strong><br />
Receiver<br />
• Expression<br />
Type: General<br />
• Flow Type:<br />
REQ<br />
• Protocol: HTTP<br />
• Qualifier:<br />
HEADER<br />
• Operator:<br />
CONTAINS<br />
• Value:<br />
<strong>Citrix</strong>Receiver<br />
• Header Name:<br />
User-Agent<br />
• Length:<br />
• Offset: 0<br />
Click OK<br />
Click Create<br />
For <strong>Citrix</strong> Receiver on<br />
iPad<br />
• Expression<br />
Type: General<br />
• Flow Type:<br />
REQ<br />
• Protocol: HTTP<br />
• Qualifier:<br />
HEADER<br />
• Operator:<br />
CONTAINS<br />
• Value:<br />
'<strong>Citrix</strong>Receive<br />
r-iPad'<br />
• Header Name:<br />
User-Agent<br />
• Length:<br />
• Offset: 0<br />
Click OK<br />
For CFNetwork For Darwin<br />
• Expression<br />
Type: General<br />
• Flow Type:<br />
REQ<br />
• Protocol: HTTP<br />
• Qualifier:<br />
HEADER<br />
• Operator:<br />
CONTAINS<br />
• Value:<br />
CFNetwork<br />
• Header Name:<br />
User-Agent<br />
• Length:<br />
• Offset: 0<br />
Click OK<br />
• Expression<br />
Type: General<br />
• Flow Type:<br />
REQ<br />
• Protocol: HTTP<br />
• Qualifier:<br />
HEADER<br />
• Operator:<br />
CONTAINS<br />
• Value: Darwin<br />
• Header Name:<br />
User-Agent<br />
• Length:<br />
• Offset: 0<br />
Click OK<br />
CFNetwork and Darwin are two Apple components.<br />
CFNetwork is a process running on computers when installing Apple software.<br />
Darwin is an open source operating system launched by Apple and is the base of Mac OS<br />
x<br />
4.3.1.2 Virtual Servers<br />
Select the Virtual Servers tree item<br />
Click citrix2-labs-vasco-com-<strong>AGEE</strong>auth and Click Open…<br />
Select the Policies tab
• Select Session<br />
• Click Insert Policy<br />
• Select sess_icaproxy_mobiledev<br />
Click OK<br />
4.4 Test<br />
19 <strong>DIGIPASS</strong> <strong>Authentication</strong> <strong>for</strong> <strong>NetScaler</strong> (<strong>with</strong> CAG)<br />
<strong>DIGIPASS</strong> <strong>Authentication</strong> <strong>for</strong> <strong>NetScaler</strong> (<strong>with</strong> CAG)<br />
To per<strong>for</strong>m the test, <strong>Citrix</strong> Receiver needs to be installed on your device.<br />
For BlackBerry: http://appworld.blackberry.com/webstore/content/10529?lang=en<br />
For Android:<br />
https://market.android.com/details?id=com.citrix.Receiver&feature=search_result#?t=W251bGw<br />
sMSwxLDEsImNvbS5jaXRyaXguUmVjZWl2ZXIiXQ<br />
Other plat<strong>for</strong>ms: http://www.citrix.com/English/ps2/products/product.asp?contentID=1689163<br />
The below screenshots demonstrate the <strong>Citrix</strong> receiver on an Apple Ipad.<br />
Note: <strong>for</strong> this test the IP 10.4.0.204 is linked to an external host named citrix2.labs.vasco.com<br />
Start the receiver application
Select Add Account<br />
• Address: citrix2.labs.vasco.com<br />
• Click Next<br />
• Description: <strong>Vasco</strong> Virtual Apps<br />
• Username: Demo<br />
• Password: Test12345<br />
• Domain: Labs<br />
• Security Token: Disabled<br />
• Click Save<br />
20 <strong>DIGIPASS</strong> <strong>Authentication</strong> <strong>for</strong> <strong>NetScaler</strong> (<strong>with</strong> CAG)<br />
<strong>DIGIPASS</strong> <strong>Authentication</strong> <strong>for</strong> <strong>NetScaler</strong> (<strong>with</strong> CAG)
21 <strong>DIGIPASS</strong> <strong>Authentication</strong> <strong>for</strong> <strong>NetScaler</strong> (<strong>with</strong> CAG)<br />
<strong>DIGIPASS</strong> <strong>Authentication</strong> <strong>for</strong> <strong>NetScaler</strong> (<strong>with</strong> CAG)
5 Solution<br />
5.1 Architecture<br />
22 <strong>DIGIPASS</strong> <strong>Authentication</strong> <strong>for</strong> <strong>NetScaler</strong> (<strong>with</strong> CAG)<br />
<strong>DIGIPASS</strong> <strong>Authentication</strong> <strong>for</strong> <strong>NetScaler</strong> (<strong>with</strong> CAG)<br />
Radius<br />
<strong>NetScaler</strong> <strong>with</strong> Access Gateway<br />
Enterprise Edition<br />
IP: 10.4.0.206 XenApp<br />
Domain: labs.vasco.com (LABS)<br />
LDAP<br />
IP: 10.4.0.10<br />
Citirx Web<br />
Interface<br />
IP: 10.4.0.201<br />
IP: 10.4.0.13<br />
<strong>Authentication</strong><br />
Servers<br />
XenDesktop<br />
IP:10.4.0.202<br />
When implemented, the user will per<strong>for</strong>m an authentication against 2 authentication servers. One<br />
being Active Directory, using LDAP, and one against IDENTIKEY <strong>Authentication</strong> Server, using<br />
RADIUS. This results in a login <strong>with</strong> 2 password fields.<br />
5.2 <strong>Citrix</strong><br />
5.2.1 Access Gateway<br />
5.2.1.1 Policies<br />
5.2.1.1.1 <strong>Authentication</strong> Server<br />
RADIUS authentication server needs to be added. This RADIUS server will point to the IDENTIKEY<br />
<strong>Authentication</strong> server.<br />
Open the <strong>Authentication</strong> tree item<br />
Select the Servers Tab<br />
Click Add…
• Name: authsrv_vasco<br />
• <strong>Authentication</strong> Type: RADIUS<br />
• IP Address: 10.4.0.13<br />
• Port: 1812<br />
• Time-out (seconds): 3<br />
• Secret Key: Test1234<br />
• Confirm Secret Key: Test1234<br />
• Password Encoding: pap<br />
• Accounting: OFF<br />
Click Create<br />
5.2.1.1.2 <strong>Authentication</strong> Policy<br />
23 <strong>DIGIPASS</strong> <strong>Authentication</strong> <strong>for</strong> <strong>NetScaler</strong> (<strong>with</strong> CAG)<br />
<strong>DIGIPASS</strong> <strong>Authentication</strong> <strong>for</strong> <strong>NetScaler</strong> (<strong>with</strong> CAG)<br />
Because the HTTP login behavior is different than the login over <strong>Citrix</strong> Receiver we need to make<br />
multiple <strong>Authentication</strong> Policies.<br />
1 st 2 nd<br />
HTTP Active Directory IDENTIKEY <strong>Authentication</strong><br />
Server<br />
<strong>Citrix</strong> Receiver IDENTIKEY <strong>Authentication</strong><br />
Server<br />
Active Directory<br />
Select the Policies tab<br />
Click Add…
24 <strong>DIGIPASS</strong> <strong>Authentication</strong> <strong>for</strong> <strong>NetScaler</strong> (<strong>with</strong> CAG)<br />
<strong>DIGIPASS</strong> <strong>Authentication</strong> <strong>for</strong> <strong>NetScaler</strong> (<strong>with</strong> CAG)<br />
Choose the configuration depending on your preferred access method<br />
Access Method<br />
<br />
<strong>Authentication</strong><br />
policy to be<br />
created<br />
Expression to<br />
add by clicking<br />
the Add…<br />
button in the<br />
<strong>Authentication</strong><br />
policy<br />
Radius <strong>for</strong> HTTP Radius <strong>for</strong> <strong>Citrix</strong><br />
Receiver<br />
• Name:<br />
auth_vasco<br />
• <strong>Authentication</strong><br />
Type: RADIUS<br />
• Server:<br />
authsrv_vasco<br />
• Remove ns_true<br />
from expression<br />
list<br />
• Expression Type:<br />
General<br />
• Flow Type: REQ<br />
• Protocol: HTTP<br />
• Qualifier:<br />
HEADER<br />
• Operator:<br />
NOTCONTAINS<br />
• Value:<br />
<strong>Citrix</strong>Receiver<br />
• Header Name:<br />
User-Agent<br />
• Length:<br />
• Offset: 0<br />
• Name:<br />
auth_mobile_va<br />
sco<br />
• <strong>Authentication</strong><br />
Type: RADIUS<br />
• Server:<br />
authsrv_vasco<br />
• Remove ns_true<br />
from expression<br />
list<br />
• Expression Type:<br />
General<br />
• Flow Type: REQ<br />
• Protocol: HTTP<br />
• Qualifier:<br />
HEADER<br />
• Operator:<br />
CONTAINS<br />
• Value:<br />
<strong>Citrix</strong>Receiver<br />
• Header Name:<br />
User-Agent<br />
• Length:<br />
• Offset: 0<br />
• Click OK<br />
LDAP <strong>for</strong> <strong>Citrix</strong> Receiver<br />
• Name:<br />
auth_mobile_a<br />
d<br />
• <strong>Authentication</strong><br />
Type: LDAP<br />
• Server:<br />
authsrv_ad<br />
• Remove ns_true<br />
from expression<br />
list<br />
• Expression Type:<br />
General<br />
• Flow Type: REQ<br />
• Protocol: HTTP<br />
• Qualifier:<br />
HEADER<br />
• Operator:<br />
CONTAINS<br />
• Value:<br />
<strong>Citrix</strong>Receiver<br />
• Header Name:<br />
User-Agent<br />
• Length:<br />
• Offset: 0
25 <strong>DIGIPASS</strong> <strong>Authentication</strong> <strong>for</strong> <strong>NetScaler</strong> (<strong>with</strong> CAG)<br />
<strong>DIGIPASS</strong> <strong>Authentication</strong> <strong>for</strong> <strong>NetScaler</strong> (<strong>with</strong> CAG)<br />
Now the new <strong>Authentication</strong> Policies are created, the existing auth_ad policy needs to be updated<br />
Select auth_ad<br />
Click Open…<br />
• Remove ns_true from expression list<br />
Click Add…<br />
• Expression Type: General<br />
• Flow Type: REQ<br />
• Protocol: HTTP<br />
• Qualifier: HEADER<br />
• Operator: NOTCONTAINS<br />
• Value: <strong>Citrix</strong>Receiver<br />
• Header Name: User-Agent<br />
• Length:<br />
• Offset: 0<br />
Click OK<br />
Click OK<br />
5.2.1.2 Virtual Servers<br />
Select the Virtual Servers tree item<br />
Click citrix2-labs-vasco-com-CAGuth and Click Open…<br />
Select the <strong>Authentication</strong> tab
• Click Insert Policy<br />
• Select auth_mobile_vasco<br />
• Priority: 90<br />
Click Secondary<br />
• Click Insert Policy<br />
• Select auth_mobile_ad<br />
• Priority: 90<br />
• Click Insert Policy<br />
• Select auth_vasco<br />
• Priority: 10<br />
5.3 IDENTIKEY <strong>Authentication</strong> Server<br />
26 <strong>DIGIPASS</strong> <strong>Authentication</strong> <strong>for</strong> <strong>NetScaler</strong> (<strong>with</strong> CAG)<br />
<strong>DIGIPASS</strong> <strong>Authentication</strong> <strong>for</strong> <strong>NetScaler</strong> (<strong>with</strong> CAG)<br />
There are lots of possibilities when using IDENTIKEY <strong>Authentication</strong> Server. We can authenticate<br />
<strong>with</strong>:<br />
• Local users (Defined in IDENTIKEY <strong>Authentication</strong> Server)<br />
• Active Directory (Windows)
In this whitepaper we will use Local users to authenticate.<br />
5.3.1 Policies<br />
27 <strong>DIGIPASS</strong> <strong>Authentication</strong> <strong>for</strong> <strong>NetScaler</strong> (<strong>with</strong> CAG)<br />
<strong>DIGIPASS</strong> <strong>Authentication</strong> <strong>for</strong> <strong>NetScaler</strong> (<strong>with</strong> CAG)<br />
In the Policy the behavior of the authentication is defined. It gives all the answers on: I have got<br />
a user and a password, what now?<br />
• Create a new Policy<br />
• Policy ID : Test<br />
• Inherits From: Base Policy<br />
Inherits means: The new policy will have the same behavior as the policy from which he<br />
inherits, except when otherwise specified in the new policy.<br />
Example:<br />
Base<br />
Policy<br />
New<br />
Policy Behaviour<br />
1 a New policy will do a<br />
2 b New policy will do b<br />
3 c f New policy will do f<br />
4 d New policy will do d<br />
5 e g New policy will do g<br />
The new policy is created, now we are going to edit it.<br />
• Click edit
• Local <strong>Authentication</strong> : Digipass/Password<br />
• Click Save<br />
5.3.2 Client<br />
28 <strong>DIGIPASS</strong> <strong>Authentication</strong> <strong>for</strong> <strong>NetScaler</strong> (<strong>with</strong> CAG)<br />
<strong>DIGIPASS</strong> <strong>Authentication</strong> <strong>for</strong> <strong>NetScaler</strong> (<strong>with</strong> CAG)<br />
In the clients we specify the location from which IDENTIKEY <strong>Authentication</strong> Server will accept<br />
requests and which protocol they use.<br />
We are going to add a new RADIUS client.<br />
• Client Type : select Radius Client from “select from list”<br />
• Location : 10.4.0.206<br />
• Policy ID : Select the Policy that was created in Policies<br />
• Protocol ID: RADIUS<br />
• Shared Secret: Test1234<br />
• Confirm Shared Secret: reenter the shared secret<br />
• Click Save
5.3.3 User<br />
We are going to create a user.<br />
• User ID: Fill in the Demo<br />
• Enter static password: Test12345<br />
Password is used when there is no Digipass assigned.<br />
• Confirm static password: Test12345<br />
5.3.4 <strong>DIGIPASS</strong><br />
29 <strong>DIGIPASS</strong> <strong>Authentication</strong> <strong>for</strong> <strong>NetScaler</strong> (<strong>with</strong> CAG)<br />
<strong>DIGIPASS</strong> <strong>Authentication</strong> <strong>for</strong> <strong>NetScaler</strong> (<strong>with</strong> CAG)<br />
The purpose of using IDENTIKEY <strong>Authentication</strong> Server, is to be able to log in using One Time<br />
Passwords (OTP). To make it possible to use OTP we need to assign a <strong>DIGIPASS</strong> to the user. The<br />
Digipass is a device that generates the OTP’s.<br />
• Open the user by clicking on its name<br />
• Select Assigned Digipass<br />
• Click ASSIGN
• Click Next<br />
• Grace period: 0 Days<br />
30 <strong>DIGIPASS</strong> <strong>Authentication</strong> <strong>for</strong> <strong>NetScaler</strong> (<strong>with</strong> CAG)<br />
<strong>DIGIPASS</strong> <strong>Authentication</strong> <strong>for</strong> <strong>NetScaler</strong> (<strong>with</strong> CAG)<br />
Grace period is the period that a user can log in <strong>with</strong> his static password. The first time<br />
the user uses his <strong>DIGIPASS</strong> the grace period will expire.<br />
• Click ASSIGN<br />
• Click Finish
5.4 Test the Solution<br />
5.4.1 With the browser<br />
31 <strong>DIGIPASS</strong> <strong>Authentication</strong> <strong>for</strong> <strong>NetScaler</strong> (<strong>with</strong> CAG)<br />
<strong>DIGIPASS</strong> <strong>Authentication</strong> <strong>for</strong> <strong>NetScaler</strong> (<strong>with</strong> CAG)<br />
Open the browser and browse to https://10.4.0.204 or https://citrix2.labs.vasco.com<br />
• User name: Demo<br />
• Static Password: Test12345<br />
• <strong>Vasco</strong> Password: a One Time Password generated by the users Digipass<br />
<strong>Vasco</strong> Password is not the standard field label. This is done to display the difference<br />
between the Active Directory Password and the <strong>Vasco</strong> One Time Password. This is done<br />
trough the command line interface of the <strong>Citrix</strong> Netscaler<br />
5.4.2 With <strong>Citrix</strong> Receiver<br />
This test is done on an Apple iPad.<br />
Start the <strong>Citrix</strong> Receiver application
Select Add Acount<br />
• Adress: citrix2.labs.vasco.com<br />
• Click Next<br />
• Description: <strong>Vasco</strong> Virtual Apps<br />
• Username: Demo<br />
• Password: Test12345<br />
• Domain: Labs<br />
• Security Token: Enabled<br />
• Select Domain + Security Token<br />
• Click Save<br />
32 <strong>DIGIPASS</strong> <strong>Authentication</strong> <strong>for</strong> <strong>NetScaler</strong> (<strong>with</strong> CAG)<br />
<strong>DIGIPASS</strong> <strong>Authentication</strong> <strong>for</strong> <strong>NetScaler</strong> (<strong>with</strong> CAG)
33 <strong>DIGIPASS</strong> <strong>Authentication</strong> <strong>for</strong> <strong>NetScaler</strong> (<strong>with</strong> CAG)<br />
<strong>DIGIPASS</strong> <strong>Authentication</strong> <strong>for</strong> <strong>NetScaler</strong> (<strong>with</strong> CAG)<br />
Token: a One Time Password generated by the users Digipass
6 FAQ<br />
7 Appendix<br />
34 <strong>DIGIPASS</strong> <strong>Authentication</strong> <strong>for</strong> <strong>NetScaler</strong> (<strong>with</strong> CAG)<br />
<strong>DIGIPASS</strong> <strong>Authentication</strong> <strong>for</strong> <strong>NetScaler</strong> (<strong>with</strong> CAG)