Overview
two-factor authentication is standard in most environments where users are prompted for something they have and what they know. Generally, two-factor authentication is integrated on the NetScaler with radius where the RADIUS server is LDAP integrated but we have to see some scenarios where Active Directory and RSA infrastructures are not integrated, so that the user name different for both authentication methods are.
This case study identifies a new commitment with this particular request. The access scenario below detail the use case and the use of responder guidelines along with AAA requirements for this customer.
access scenario
- to meet, if initially on the URL a user connects https://access.company. com they will be presented with the NetScaler Gateway login screen that prompts only for Active Directory username and password. Assuming the authentication successfully extracted AD groups.
- When a user not belong to the AD 2Factor Auth Group (the group that includes the two-factor user), they are directed to a storefront LB VIP (Last on the NetScaler balanced) and then to experience a seamless single sign-on with storefront and their desktops.
- When a user does belong to the AD 2Factor- Auth group, they are redirected through a NetScaler Responder Directive to a separate storefront LB VIP (also load balancing on the NetScaler ), the additional authentication is required. This showcase LB VIP is as a front end with a AAA TM VIP, they will be prompted for their RSA user name and PIN + token code.
- Assuming that the authentication is successful, they are then forwarded to the showcase, where they log back in with their AD user name and password, completing the process. If this authentication is successful, it is to be presented with their desktops.
- If the user selects " Log ' NetScaler ensure Rewrite directives that their local authentication cookies have expired, so they need to re-authenticate access continue. As this is the case with Balancer storefront load authentication users must deploy both RSA and Active Directory credentials again the 2-factor requirement maintenance
Fig. 1: user flow
Note : by the responder policy redirect actually the endpoint device both storefront Load Balancer must be 2 and the AAA-VServer redirection through the end point, in addition to the initial NetScaler Gateway VIP access depending on the application can run the. to fall to secure policy crafted traffic that made using regular expressions conditions do not meet.
guidelines and actions
the following CLI entry was used to the NetScaler Gateway vServer
- add vpn vserver nsgateway_vpn_vserver SSL 10.0.0.150 443 -icaOnly oN -Listenpolicy No
to create the responder policy checks for a user who is a member the Active Directory group "AD 2Factor auth". If a user on the NetScaler Gateway authenticate action of the responder is a member then bound to the political triggers. In this case, the Responder Action is a redirect to another URL before the session policies are applied.
The following CLI messages were used to create the Responder policies and measures and to bind, the two-factor redirect users after they have authenticated with LDAP on NetScaler Gateway VServer
- responder action RSA_Redirect_Action redirect "" https Add: //company.com/Citrix/StoreWeb "HTTP"
- responder policy RSA_Redirect_Policy add ".REQ.USER.IS_MEMBER_OF (" AD 2Factor Auth ")" RSA_Redirect_Action
- bind vpn vserver nsgateway_vpn_vserver -policy RSA_Redirect_Policy -priority 100 -gotoPriorityExpression END -type REQUEST
Load balancing vServer operates in conjunction with the authentication vServer the second factor authentication to provide (RADIUS in this case). Authentication is performed on the load balancing enabled VServer and redirects the user to the tmindex.html where they carry out the authentication with the configured service. If successful, the user is through the back-end server behind the load balancing forwarded VServer the configured LB and persistence methods.
The load balancing vserver is configured from the following CLI commands
- Add lb vserver twofactorsflb.company.com_vserver SSL 10.0.0.151 443 -persistenceType SourceIP -Listenpolicy No -cltTimeout 180 -AuthenticationHost RSAServer.company.com -Authentication ON -authnVsName RSA_Auth_VServer -comment "RSA IB VIP"
authentication vServer was add the following CLI commands create
- authentication vserver RSA_Auth_VServer SSL 10.0.0.152 443 -AuthenticationDomain company.com
If the user was a member of the AD 2Factor auth group selects "Logoff" from the storefront interface a number of policy Rewrite their associated actions trigger. These actions, the edit AAA cookies on the user the expiration date in the past set endpoint. This immediately makes the cookies invalid, so that the user must perform again the AAA and Storefront authentication.
The following CLI messages were used to create the rewrite policies and measures and to bind that the AAA Cookies ends at the user endpoint when "Logout" at Storefront selected. They are versions of OWA Logout changed policies and actions http://blogs.citrix.com/2011/11/11/ensuring-secure-logout-for-your-application/ found in the Citrix blog Abhilash Verma.
- Add Rewrite action RSA_EXPIRE_TMAS_COOKIE_Action insert_http_header Set-Cookie "" NSC_TMAS = xyz; Domain = .company.com; path = /; expires = Wednesday, 09-Nov-1999 23:12:40 GMT; Secure ""
- Rewrite action RSA_EXPIRE_TMAA_COOKIE_Action insert_http_header Set-Cookie add "" NSC_TMAA = xyz; Domain = .company.com; path = /; expires = Wednesday, 09-Nov-1999 23:12:40 GMT; HTTP.REQ.URL.CONTAINS ( "/ Citrix / StoreWeb / authentication / logout ") "RSA_EXPIRE_TMAS_COOKIE_Action
- Add Rewrite policy RSA_EXPIRE_TMAA_COOKIE_Policy" "" Rewrite Policy RSA_EXPIRE_TMAS_COOKIE_Policy
- Add "Secure HTTP.REQ.URL.CONTAINS ( "/ Citrix / StoreWeb / authentication / logout ") "RSA_EXPIRE_TMAA_COOKIE_Action
- bind lb vserver SF_RSA_LB_VS -PolicyName RSA_EXPIRE_TMAS_COOKIE_Policy -priority 0 -gotoPriorityExpression NEXT -type RESPONSE
- bind lb vserver SF_RSA_LB_VS -PolicyName RSA_EXPIRE_TMAA_COOKIE_Policy -priority 100 -gotoPriorityExpression END -type RESPONSE
0 Komentar