Jump to content


Netscaler native OTP as preauthentication for gateway

Started by dsfgdsfg sadfgsdfg , 11 September 2017 - 01:05 PM
3 replies to this topic

dsfgdsfg sadfgsdfg Members

dsfgdsfg sadfgsdfg
  • 3 posts

Posted 11 September 2017 - 01:05 PM



I am trying to set up a netscaler gateway for my testlab and I want to try using the one time password functionality of the netscaler or, as an alternative, a RADIUS server as a preauthentication methods. The problem is that I can't find any information on how I can accomplish this. So my questions are: 


Is this even possible?

And if it is how can I do it?


I am still new to the netscaler so I am hoping someone can help me.


Thanks in advance for any answers.



Carl Stalhood CTP Member

Carl Stalhood
  • 12,283 posts

Posted 11 September 2017 - 01:54 PM

See the authentication section at http://www.carlstalhood.com/netscaler-menu/netscaler-12/

dsfgdsfg sadfgsdfg Members

dsfgdsfg sadfgsdfg
  • 3 posts

Posted 11 September 2017 - 05:05 PM

Thanks for the quick reply. I used your guide today to configure the native otp funtionality of the netscaler. It was really helpfull and easy to understand.
My current setup is ldap and otp as autentification methods. Now my goal is it to use the otp auth as a preauth policy so that the user won't get a login page displayed without providing the otp first. I could only find a preauth policy for a certificate authentification in your guide. I am sorry if I am missing something.

Paul Blitz Members

Paul Blitz
  • 4,004 posts

Posted 13 September 2017 - 04:23 PM

When you connect to NG, it first performs an EPA (EndPointAnalysis) Pre-auth scan of the client device (this can be as simple as looking at the headers of the request, or as complicated as checking for AV etc on a device). When THAT has passed, you will be prompted for login credentials: OTP is part of the login credentials.


So, pre-auth policies won't help with OTP. (you need SOME form of login page to be able to submit the OTP!)


The problem is that, to make OTP work, you need to know who / where the OTP is coming from... so I guess you could set things up to (1) ask for the user id; then (2) do the OTP, and finally (3) get the user password (assuming that you CAN have the OTP system work without needing the user's password)