Mark Kroehler 2 Posted February 1, 2016 Share Posted February 1, 2016 Was wondering if anyone has attempted to configure a two-factor authentication setup for the administration of the NetScaler, not for application traffic? I know that there is plenty of guidance on setting up MFA for NetScaler Gateway and access to applications, but I haven't found anything written to address MFA for the Administrative Console. A client of mine is looking at setting up MFA for NetScalers being hosted in the cloud. Since the corporate standard for remote access to systems is MFA, they'd like to do the same for systems being managed in the cloud. Internally, they have a test implementation using a Content Switch, which has an Authentication Profile pointing to a RADIUS profile. The profile points to a load balanced RADIUS server being authenticated against. Additionally, an LDAP policy is configured on the NetScaler. While it appears to work, the client says that it doesn't work consistently and doesn't work well when moving to another appliance (they have quite a few VPX instances). Was wondering if anyone else had attempted something similar or can point to Citrix guidance on how to setup something like this? I haven't found anything. Also, curious as to why this functionality isn't native to the platform, given that nsroot can't be deleted/replaced or disabled. You'd think protecting the platform would be just as important, if not more so, than protecting the apps... 1 Link to comment Share on other sites More sharing options...
Luc Schot1709152746 Posted February 5, 2016 Share Posted February 5, 2016 Hello Mark, We haven't implemented this but I agree with you that it should be possible out of the box. We only use NetScaler Gateway and use a 3rd party firewall that only allows access from specific IP. In addition, the AD group that has access is also very limited. This should leave a smaller attack surface. Link to comment Share on other sites More sharing options...
Toivo Voll Posted October 10, 2017 Share Posted October 10, 2017 This may well be a requirement coming down the pipe for us as well. Overall the admin console access on the Netscalers doesn't seem to be entirely up to expected feature levels. Link to comment Share on other sites More sharing options...
Andrew Angelopoulos Posted April 11, 2018 Share Posted April 11, 2018 Just curious before I go down this road, is this possible in the end? For the management interface, Or strictly for the gateway? (still on the latest 11 branch) Thanks. ' Link to comment Share on other sites More sharing options...
Andy Parker1709159674 Posted May 16, 2018 Share Posted May 16, 2018 It would be really useful to get Citrix confirmation that 2FA is not possible / Supported on the management interface. I am also seeing this about to be mandated as a requirement for administration access. For example a tech note would be suitable for referencing in any risk acceptance raised. Link to comment Share on other sites More sharing options...
Andrew Angelopoulos Posted January 13, 2020 Share Posted January 13, 2020 You know something, I posted to this thread originally close to two years ago... the thread is 4 years old.. is it still not an option? Really? Especially after CVE-2019-19781 this is still not in there (not sure it would have helped any, but it does highlight the point that this is a security device and any kind of programming faux pas needs to be mitigated on all fronts) Link to comment Share on other sites More sharing options...
Campbell Kay Posted September 10, 2020 Share Posted September 10, 2020 anyone find an answer to this question? Link to comment Share on other sites More sharing options...
CarlStalhood Posted September 11, 2020 Share Posted September 11, 2020 See https://www.carlstalhood.com/system-configuration-citrix-adc-13/#mgmttwofactor Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now