Configuring Duo Integration With NetScaler

By Sam Jacobs posted 07-29-2016 06:45 AM

  

The purpose of this blog post is to explain the two modes of Duo integration with the NetScaler, to point out the pros and cons of each method, and to explain the different configurations needed for NetScaler and StoreFront when using each mode. I will not go into the configuration of the Duo proxy itself, as that is covered quite well (except where noted – see below) in the online Duo documentation (links below).

Having said that, there is one extremely important Duo configuration issue that I must mention. Do NOT use Notepad when editing the authproxy.cfg file! Use either Notepad++ or Wordpad. The impetus in creating this document was caused by wasting a good portion of the day bouncing back and forth between Citrix Tech Support and Duo Tech Support, when the only thing wrong was that Notepad inserted extra line breaks (one right in the middle of the RADIUS secret key!) in the config file.

Mode 1 – ad_client

In this mode, Duo performs ALL authentication. It communicates with Active Directory to validate the AD password, and, once validated, sends the user the push, call, or SMS. Duo configuration for this mode is explained here: https://duo.com/docs/citrix_netscaler.

In this configuration, the NetScaler needs only 2 RADIUS profiles and policies – one for Web access, and the other for Receiver access. Both are defined as PRIMARY - there are no secondary profiles/policies. The above link explains the profiles and policies in detail. Take note that the port for the Receiver authentication server should be different (e.g. 18120) than the standard RADIUS port (1812) used for the Web authentication server, and must match the port defined in the Duo config file.

One important point omitted by the Duo documentation is the configuration of StoreFront. When using ad_client mode, you must ensure that the Logon Type in the StoreFront Gateway Appliance Authentication Settings is set to Domain.

StoreFront Gateway Single Factor Auth Setting.jpg

PROS

Users see only a single password field for both web and Receiver, so you do not need to hide the second password field (for the web), and there is much less confusion when using Receiver.

Web-Receiver - one factor.jpg

You also only need to define 2 RADIUS policies, making configuration slightly easier.

CONS

Since authentication is not being handled by the NetScaler, users cannot change passwords using this method.

 

Mode 2 – duo_only_client (referred to in Duo documentation as the Alternate Configuration)

In this mode, the NetScaler performs Active Directory authentication, with Duo handling only the 2nd factor (RADIUS) authentication – hence the name duo_only_client. This mode is a bit more complicated to set up on the NetScaler. While the Duo documentation of this mode (https://duo.com/docs/citrix_netscaler-alt) explains the Duo portion of the setup well, do NOT use this document to set up your NetScaler policies. This document describes setting up two SECONDARY RADIUS policies, which will NOT work if you are using Receiver. Instead, refer to the following Duo article: https://duo.com/docs/citrix_netscaler-faq (see the section: Why might mobile Receiver clients have issues authenticating with Duo?). This will refer you to the following Citrix KB article: http://support.citrix.com/article/CTX125364, which explains how and why you need to set up 2 LDAP and 2 RADIUS policies and profiles. Note that the session profile for the Receiver must have the Credential Index set to SECONDARY.

Again, the Duo documentation omits the setup of StoreFront. When using duo_only_client mode, you must ensure that the Logon Type in the StoreFront Gateway Appliance Authentication Settings is set to Domain and security token.

StoreFront Gateway 2-factor Auth Setting.jpg

If you leave the Logon Type at the default Domain setting, logon via the web will work (since this setting is not used by the NetScaler), but Receiver (which does use this setting) will not work.

PROS

Since the NetScaler is performing Active Directory authentication, users may change their password (as long as the LDAP authentication server is using either TLS or SSL – not PLAINTEXT).

CONS

Using this mode, users will see two password prompts for web and Receiver:

Web-Receiver - two factor.jpg

While the unused second password field may be hidden for the web (see the Duo alternate configuration link above), this requires modification of the NetScaler source files - unsupported by Citrix, and, if not done carefully, may corrupt your NetScaler configuration.  The second password field for the Receiver may NOT be hidden, and the user must enter a valid Duo factor name (push – recommended, or phone) into that field. This can get quite confusing for users. The NetScaler configuration for this mode is also a bit more complicated.

 

Sam Jacobs is the Director of Technology Development at IPM, the longest standing Citrix Platinum Partner on the East Coast. With more than 25 years of IT consulting, Sam is a NetScaler customizations and integrations industry expert. He holds Microsoft MCSD, Citrix CCP-M and CCP-N certifications, and is the editor of TechDevCorner.com, a technical resource blog for IT professionals. He is one of the top Citrix support Forum contributors, and has earned industry praise for the tools he has developed to make NetScaler, StoreFront and Web Interface easier to manage for administrators and more intuitive for end users. Sam became a Citrix Technology Professional (CTP) in 2015. Sam can be reached at: sam.jacobs@ipm.com or on Twitter at: @WIGuru.

Comments

02-14-2017 10:00 PM

Re: Hiding the second password field

John,

Nice! If all one needs to do is hide the second password field, I would certainly recommend your method. I usually do quite a bit more customization:

Adding Text, Links and Other Elements to the NetScaler Logon Page - Part 1

Adding Text, Links and Other Elements to the NetScaler Logon Page - Part 2

Sam

02-14-2017 01:02 PM

Hiding the second password field

Great writeup. I just want to add that you can hide the second password field with a rewrite that doesn't involve modifying any NetScaler files. 

Rewrite Action 

Type: INSERT_HTTP_HEADER
Header Name: Set-Cookie
Expression: ("pwcount=”+ 1")

Rewrite Policy

Expression: HTTP.REQ.URL.EQ("/vpn/index.html") && HTTP.REQ.HEADER("Cookie").CONTAINS("pwcount").NOT && HTTP.REQ.HEADER("User-Agent").CONTAINS("CitrixReceiver").NOT

Then of course assign the previously created action created above to the policy, then bind the Rewrite policy to the NetScaler Gateway Virtual Server. (Rewrite > Response)

 

Hope that helps someone who wants to clean up the logon page without making any changes to NetScaler files. 

09-13-2016 09:28 AM

Solid article! Wish I'd seen it sooner. >.<

Thanks for the article on this topic.  My org just recently started implementing Duo, but it wasn't in any centralized or manged way.  I thought it was a good practice/use case for the NetScaler, since I've not had much experience with NetScaler AAA or Gateway setup up to now.

I'm glad you highlighted the pains of using their method to customize the login screen to hid that second password field.  I found that you can't do it using the custom themes features of the GUI for reasons I never could figure out and that Duo couldn't tell me, and it left me wondering how I'd do that customization for a single VIP instead of what appeared to be globally. 

Not that it matters, since the first time I had a hiccup during a firmware update on that test appliance, it hosed the config.  :(

Anyway, good info!  Thanks for writing it!  I wish I'd have seen it sooner. lol

08-09-2016 06:58 AM

Re: nfactor?

Patrick,

I usually suggest to clients to keep to Receiver for Web (vs. native Receiver) because a) there are less issues with RfWeb, and b) the Unified Experience hasn't yet made it to the mobile Receivers. Since I can hide the 2nd password field with a little code, nfactor wouldn't really change the user experience for me.

 

Thanks,

Sam

08-04-2016 12:30 PM

Nice!

Might have this coming up here soon, so this is good timing for me :) Thanks Sam

08-04-2016 07:41 AM

nfactor?

We use Duo as well and I have been contemplating trying to better the user experience.  It may be possible to use nfactor to have netscaler do the first phase and then pass the creds to duo via SAML for the push auth.  Thoughts?

08-02-2016 05:24 AM

Re: nice article

Thanks, Tobias ... I was actually planning on writing a different post this month, but when I saw how much time was wasted during the install because of a corrupt config file (simply because Notepad was used), I figured I would hopefully save someone else from the same headache.

08-01-2016 10:09 AM

nice article

Very nice contribution, Sam, and as we've starting implementing Duo recently, this will be very useful.