Support SADIES Posted January 18, 2023 Share Posted January 18, 2023 Hi everyone, I have netscaler 12.1.65 standard edition and I want to configure 2fa with DUO I saw this guide: http://arnaudpain.com/2020/09/08/citrix-gateway-and-duo-step-by-step-guide/#sthash.FSIJDgRg.dpbs But I don't understand some concepts: - I want to user only LDAP no server radius. I need to configure virtual server as "radius"? - When I try to configure expression the system says that is deprecated.... Link to comment Share on other sites More sharing options...
CarlStalhood Posted January 18, 2023 Share Posted January 18, 2023 Duo is a RADIUS proxy server. You do LDAP as your first factor and then RADIUS for the Duo second factor. See https://duo.com/docs/citrix-netscaler-nfactor Link to comment Share on other sites More sharing options...
Support SADIES Posted January 19, 2023 Author Share Posted January 19, 2023 Thanks I check but I have ADC VPX NS12.1.65 with standard licence. I have production user with simple authentication and I want to add 2fa I can' t view AAA policies and any option to Enable it. I try to configure with https://duo.com/docs/citrix-netscaler#:~:text=Log in to the Duo,information to complete your setup. But not works: same message warning "classic authentication policies are deprecated. Please use advanced authentication policies(i.e. add/set authentication policy) I need to configure Advanced Authentication here? Is not possible to use Duo with my version of netscaler? Link to comment Share on other sites More sharing options...
CarlStalhood Posted January 19, 2023 Share Posted January 19, 2023 On the right is Authentication Profile. Add it. Add a new Authentication Profile. It will ask you for an Authentication Virtual Server. Click Add to create one. Link to comment Share on other sites More sharing options...
Support SADIES Posted January 19, 2023 Author Share Posted January 19, 2023 42 minutes ago, Carl Stalhood1709151912 said: On the right is Authentication Profile. Add it. Add a new Authentication Profile. It will ask you for an Authentication Virtual Server. Click Add to create one. I add authentication in Authentication/Dashboard section and bind to vs For your authentication profile i have: I dont know how configure it... I use this guide https://duo.com/docs/citrix-netscaler#configure-the-proxy-for-your-citrix-gateway and I obtain de login a prompt for duo like this: I can login but after a pop-up and this message appears: is something about the Content-Security-Policy header.? Thanks a lot a lot for your help Link to comment Share on other sites More sharing options...
CarlStalhood Posted January 20, 2023 Share Posted January 20, 2023 Authentication Virtual Server should be Non-Addressable. You should have a Gateway Session Policy/Profile that enables ICA Proxy and has the address of your StoreFront store. This is typical configuration for ICA Proxy. Link to comment Share on other sites More sharing options...
Support SADIES Posted January 20, 2023 Author Share Posted January 20, 2023 12 hours ago, Carl Stalhood1709151912 said: On the right is Authentication Profile. Add it. Add a new Authentication Profile. It will ask you for an Authentication Virtual Server. Click Add to create one. When I try to add this Authentication Virtual Server I have this message: Link to comment Share on other sites More sharing options...
Support SADIES Posted January 20, 2023 Author Share Posted January 20, 2023 4 hours ago, Carl Stalhood1709151912 said: Authentication Virtual Server should be Non-Addressable. You should have a Gateway Session Policy/Profile that enables ICA Proxy and has the address of your StoreFront store. This is typical configuration for ICA Proxy. Ok I create two new policies and type 'NS_TRUE' in the authenthication radius Policy. In my storefront I need to chang auth to Domain and security token.? Some updates. I can login use DUO but I have this error: Same error with another user not present in duo. It's a maybe error to contact ldap? If I try username and random password I have the normal error: I have another Virtual Server Gateway in production (without DUO) and all works fine. Link to comment Share on other sites More sharing options...
Support SADIES Posted January 22, 2023 Author Share Posted January 22, 2023 (edited) On 1/18/2023 at 8:29 PM, Carl Stalhood1709151912 said: Duo is a RADIUS proxy server. You do LDAP as your first factor and then RADIUS for the Duo second factor. See https://duo.com/docs/citrix-netscaler-nfactor Hello again! I continue to search some solution but for the moment nothing. I tested everything. One question...I need to confiure LDAD as primary and RADIUS as primary? Duo prompt appears but after confirm I have this error: If I configure Radius as secondary I have 2 password box.... Maybe not correct configuration of the Virtual server to check duo proxy? I have this logs in NS: send_accept: sending accept to kernel for : test.schmutz RADIUS auth: In process_radius: Extracted groups = (null) process_radius: extracted group string :(null) process_radius: RADIUS auth: RADIUS authentication successful for user: test.schmutz from server 172.16.13.40 make_radius_request: RADIUS auth: Making radius request for user test.schmutz make_radius_request: RADIUS auth: Making radius request for user test.schmutz continue_radius_auth: RADIUS auth: Starting RADIUS authentication for user test.schmutz @ 172.16.13.40 process_kernel_socket: call to authenticate user :test.schmutz, vsid :11431, userlen 12 process_kernel_socket: ns_aaad_decrypt_auth not done Appreciate any idea or help. Thanks a lot EDIT: Maybe upgrade my ADC 12.1 to 13.1 can help? Edited January 23, 2023 by Support SADIES Link to comment Share on other sites More sharing options...
ArnaudP1 Posted January 24, 2023 Share Posted January 24, 2023 On 1/19/2023 at 6:22 PM, Support SADIES said: I add authentication in Authentication/Dashboard section and bind to vs For your authentication profile i have: I dont know how configure it... I use this guide https://duo.com/docs/citrix-netscaler#configure-the-proxy-for-your-citrix-gateway and I obtain de login a prompt for duo like this: I can login but after a pop-up and this message appears: is something about the Content-Security-Policy header.? Thanks a lot a lot for your help The message above shows that your are trying to launch SSL-VPN, I think you create an Unified Gateway site instead of Citrix Gateway using the Wizard, no? Thanks Link to comment Share on other sites More sharing options...
Support SADIES Posted January 24, 2023 Author Share Posted January 24, 2023 1 hour ago, Arnaud Pain said: The message above shows that your are trying to launch SSL-VPN, I think you create an Unified Gateway site instead of Citrix Gateway using the Wizard, no? Thanks Hello, Not . It's a normal Citrix Gateway virtual server. I don'k know why try to launch java Stuck with this issue Link to comment Share on other sites More sharing options...
ArnaudP1 Posted January 24, 2023 Share Posted January 24, 2023 22 minutes ago, Support SADIES said: Hello, Not . It's a normal Citrix Gateway virtual server. I don'k know why try to launch java Stuck with this issue So in this case you need to check your session Profile configuration. Link to comment Share on other sites More sharing options...
Support SADIES Posted January 24, 2023 Author Share Posted January 24, 2023 28 minutes ago, Arnaud Pain said: So in this case you need to check your session Profile configuration. Yes finally that works!!!! I delete all and reconfigure and java message not appears. Rdweb works fine!! Now I can view in my receiver that 2 password field appears and can't login (incorrect password) I need to modify and pesonalise some configuration? Link to comment Share on other sites More sharing options...
ArnaudP1 Posted January 24, 2023 Share Posted January 24, 2023 4 minutes ago, Support SADIES said: Yes finally that works!!!! I delete all and reconfigure and java message not appears. Rdweb works fine!! Now I can view in my receiver that 2 password field appears and can't login (incorrect password) I need to modify and pesonalise some configuration? So here, you have 2 options: 1. Use nFactor to configure DUO and follow this article:https://duo.com/docs/citrix-netscaler-nfactor 2. Check the LDAP configuration, on LDAP-Receiver, you can uncheck authentication to hide Mode de passe 2, if I am correct. Thanks for letting me know. Arnaud Link to comment Share on other sites More sharing options...
Support SADIES Posted January 25, 2023 Author Share Posted January 25, 2023 On 1/24/2023 at 7:56 PM, Arnaud Pain said: So here, you have 2 options: 1. Use nFactor to configure DUO and follow this article:https://duo.com/docs/citrix-netscaler-nfactor 2. Check the LDAP configuration, on LDAP-Receiver, you can uncheck authentication to hide Mode de passe 2, if I am correct. Thanks for letting me know. Arnaud HI! Option1 can't do it I dont have the good ns version 13 Option2: I have this conf: I need to uncheck (in Citrix Receiver policy) the field "Authentication"? I tested default (check) and uncheck but password 2 not hide.... Link to comment Share on other sites More sharing options...
Arnaud Pain, CTP Posted January 25, 2023 Share Posted January 25, 2023 5 minutes ago, Support SADIES said: HI! Option1 can't do it I dont have the good ns version 13 Option2: I have this conf: I need to uncheck (in Citrix Receiver policy) the field "Authentication"? I tested default (check) and uncheck but password 2 not hide.... You don't need Firmware 13.0, 12.1-51.16 or later is enough. I would recommend you to follow DUO article with nFactor. Link to comment Share on other sites More sharing options...
Support SADIES Posted January 25, 2023 Author Share Posted January 25, 2023 2 minutes ago, Arnaud Pain, CTP said: You don't need Firmware 13.0, 12.1-51.16 or later is enough. I would recommend you to follow DUO article with nFactor. But I don't have AAA policies with standard licence But it's ok with "authenticated" disabled in LDAP second password field not visible Link to comment Share on other sites More sharing options...
Arnaud Pain, CTP Posted January 25, 2023 Share Posted January 25, 2023 6 minutes ago, Support SADIES said: But I don't have AAA policies with standard licence But it's ok with "authenticated" disabled in LDAP second password field not visible Perfect, but keep in mind that doing that may also impact it there will be no validation of user's password, so if you enter wrong password it may go through and you will receive Cannot complete your request after, to be checked on your own. Thanks Arnaud Link to comment Share on other sites More sharing options...
Support SADIES Posted January 25, 2023 Author Share Posted January 25, 2023 8 minutes ago, Arnaud Pain, CTP said: Perfect, but keep in mind that doing that may also impact it there will be no validation of user's password, so if you enter wrong password it may go through and you will receive Cannot complete your request after, to be checked on your own. Thanks Arnaud What...you're right....I try with wrong password and any validation I can login... There is not a solution do a 2FA if I can login without password. I don't understand. To follow DUO article with nFactor I need AAA and I not have the licence.... Thanks Arnaud for your time. I appreciate Link to comment Share on other sites More sharing options...
ArnaudP1 Posted January 25, 2023 Share Posted January 25, 2023 39 minutes ago, Support SADIES said: What...you're right....I try with wrong password and any validation I can login... There is not a solution do a 2FA if I can login without password. I don't understand. To follow DUO article with nFactor I need AAA and I not have the licence.... Thanks Arnaud for your time. I appreciate In this case I would recommend to update Firmware. Starting from release 13.0 build 67.x, nFactor authentication is supported with Standard license. So Upgrade Firmware and then follow DUO documentation. Thanks Arnaud Link to comment Share on other sites More sharing options...
Support SADIES Posted January 26, 2023 Author Share Posted January 26, 2023 10 hours ago, Arnaud Pain said: In this case I would recommend to update Firmware. Starting from release 13.0 build 67.x, nFactor authentication is supported with Standard license. So Upgrade Firmware and then follow DUO documentation. Thanks Arnaud Yes the possible solution is upgrade but I read this: https://www.carlstalhood.com/system-configuration-citrix-adc-13/#upgrade I don't have licence support and my file licence file has date 2020.0700... I don't sur can upgrade the firmware... Thanks Link to comment Share on other sites More sharing options...
ArnaudP1 Posted January 26, 2023 Share Posted January 26, 2023 8 hours ago, Support SADIES said: Yes the possible solution is upgrade but I read this: https://www.carlstalhood.com/system-configuration-citrix-adc-13/#upgrade I don't have licence support and my file licence file has date 2020.0700... I don't sur can upgrade the firmware... Thanks Can you try to redownload your license file which should present newer date and as so allow you to upgrade the Firmware. Thanks Arnaud Link to comment Share on other sites More sharing options...
Support SADIES Posted January 26, 2023 Author Share Posted January 26, 2023 21 minutes ago, Arnaud Pain said: Can you try to redownload your license file which should present newer date and as so allow you to upgrade the Firmware. Thanks Arnaud Yes, I try to redownload an the date it's the same Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now