NetScaler 11 - Two-Factor Authentication - Admin Console

[Mark Kroehler 2]

Was wondering if anyone has attempted to configure a two-factor authentication setup for the administration of the NetScaler, not for application traffic?

 

I know that there is plenty of guidance on setting up MFA for NetScaler Gateway and access to applications, but I haven't found anything written to address MFA for the Administrative Console.

 

A client of mine is looking at setting up MFA for NetScalers being hosted in the cloud. Since the corporate standard for remote access to systems is MFA, they'd like to do the same for systems being managed in the cloud.

 

Internally, they have a test implementation using a Content Switch, which has an Authentication Profile pointing to a RADIUS profile. The profile points to a load balanced RADIUS server being authenticated against. Additionally, an LDAP policy is configured on the NetScaler.

 

While it appears to work, the client says that it doesn't work consistently and doesn't work well when moving to another appliance (they have quite a few VPX instances). 

 

Was wondering if anyone else had attempted something similar or can point to Citrix guidance on how to setup something like this? I haven't found anything.

 

Also, curious as to why this functionality isn't native to the platform, given that nsroot can't be deleted/replaced or disabled. You'd think protecting the platform would be just as important, if not more so, than protecting the apps...

[Luc Schot1709152746]

Hello Mark,

 

We haven't implemented this but I agree with you that it should be possible out of the box. We only use NetScaler Gateway and use a 3rd party firewall that only allows access from specific IP. In addition, the AD group that has access is also very limited. This should leave a smaller attack surface.

[Toivo Voll]

This may well be a requirement coming down the pipe for us as well. Overall the admin console access on the Netscalers doesn't seem to be entirely up to expected feature levels.

[Andrew Angelopoulos]

Just curious before I go down this road, is this possible in the end? For the management interface, Or strictly for the gateway?  (still on the latest 11 branch)

 

Thanks.

'

 

[Andy Parker1709159674]

It would be really useful to get Citrix confirmation that 2FA is not possible / Supported on the management interface.  I am also seeing this about to be mandated as a requirement for administration access.   For example a tech note would be suitable for referencing in any risk acceptance raised. 

 

[Andrew Angelopoulos]

You know something, I posted to this thread originally close to two years ago... the thread is 4 years old.. is it still not an option? Really? Especially after CVE-2019-19781 this is still not in there (not sure it would have helped any, but it does highlight the point that this is a security device and any kind of programming faux pas needs to be mitigated on all fronts)

[Campbell Kay]

anyone find an answer to this question? 

[CarlStalhood]

See https://www.carlstalhood.com/system-configuration-citrix-adc-13/#mgmttwofactor