HID-DigitalPersona-NetScaler-RADIUS-Authentication-Integration-Guide
Open the original PDF document
View PDF
Integration Guide
November 5, 2019
Table of Contents
|
INTRODUCTION
|
4 |
|---|---|
|
OVERVIEW
Main topics Components Deployment overview and checklist |
4
4 4 4 |
|
CONFIGURATION
Configure the NPS Server RADIUS Client Configure the NPS Server Connection Request Policy Configure the NPS Server Network Policy Configure the NetScaler Authentication Policy and Server Configure the NetScaler Gateway Virtual Server |
6
6 8 10 12 15 |
|
DEPLOYMENT
19 Run the DigitalPersona AD NPS Plugin |
19 |
|
VERIFICATION
21 |
|
| TROUBLESHOOTING CHECKPOINTS21 |
1
Introduction
Overview
This guide describes how to integrate the DigitalPersona NPS Plugin and specified NetScaler components for RADIUS Authentication using a One-Time Password.
Main topics
| Topic or Phase | Page |
|---|---|
| Components | 4 |
| Deployment overview and checklist | 4 |
| Configuration | 6 |
| Deployment | 19 |
| Verification | 21 |
| Troubleshooting checkpoints | 21 |
Components
The components used in the authentication process are described below. This is the default recommended minimum configuration and can be further extended to meet customer requirements.
|
Machine
or Appliance |
Description |
|---|---|
| NPS Server | The NPS Server Role is installed on the NPS Server. |
| Domain Controller |
DigitalPersona
AD Server is installed on the Domain Controller. |
| NetScaler Appliance | Both virtual and physical appliances are supported. |
| Client Machine |
DigitalPersona AD Workstation is installed for enrolling OTP
credentials. |
Deployment overview and checklist
The basic phases of deployment and their included tasks are shown below.
| Step | Phase and Task | Page | √ | ||
|---|---|---|---|---|---|
|
Preparation
and Installations |
|||||
| 1 | Install Network Policy Server role on NPS server | * | |||
| 2 | Copy software package to NPS Server | ||||
| 3 | Install DigitalPersona AD Server | * | |||
| 4 | Install DigitalPersona AD Workstation on a client machine | * | |||
| 5 | Import NetScaler Gateway Virtual Server | * | |||
| Configuration | |||||
| 6 | Configure the NPS Server RADIUS Client | 6 | |||
| 7 | Configure the NPS Server Connection Request Policy | 8 | |||
| 8 | Configure the NPS Server Network Policy | 10 | |||
| 9 | Configure the NetScaler Authentication Policy and Server | 12 | |||
| 10 | Configure the NetScaler Gateway Virtual Server | 15 | |||
| Step | Phase and Task | Page | √ |
|---|---|---|---|
| Deployment | |||
| 11 | Run the DigitalPersona AD NPS Plugin | 19 | |
| Verification | |||
| 12 | Open the NetScaler Gateway Login Page | 21 | |
| 13 |
Log on
with AD user credentials and a Radius OTP credential |
21 | |
| Completion | |||
* For installation details, see the DigitalPersona NPS Plugin chapter in the DigitalPersona AD Administrator Guide.
Configuration 2
On the NPS machine, open the Network Policy Server console.
Configure the NPS Server RADIUS Client
- 1. In the left panel, expand RADIUS Clients and Servers.
- 2. Right-click RADIUS Clients and select New .
-
3. In the
New RADIUS Client
dialog, provide the following information.
- Friendly Name
- IP Address (NSIP) of the NetScaler appliance
- Shared Secret Key Note that the key will also be needed when configuring the NetScaler Radius Policy.
4. On the Advanced tab, confirm that RADIUS Standard is selected for the Vendor Name and click OK .
Configure the NPS Server Connection Request Policy
This section will walk you through the configuration of the NPS Server Connection Request policy.
1. Under Policies , right-click Connection Request Policies and select New .
- 2. Enter the name for your Connection Request Policy and select Unspecified for the Type of network access server.
- 3. Select Next .
- 4. Select Add to specify conditions. If there are no restrictions, select Day and Time Restrictions and then choose Permitted .
- 5. Select OK and select Next .
- 6. On the next page, under the Authentication Tab , select Authenticate Requests on this server .
- 7. Select Next .
- 8. On the Specify Authentication Methods page, select the checkbox to Override network policy authentication settings and the one for Unencrypted Authentication (PAP, SPAP) .
- 9. Select Next and select No when the pop up box appears.
- 10. On the Configure settings page, configure the attributes and settings per your organization standards.
- 11. Select Next and review the policy details.
12. Select Finish .
Configure the NPS Server Network Policy
This section will walk you through the configuration of the NPS Server Connection Request policy.
1. Under Policies , right-click Network Policies and select New .
2. Enter a name for the connection request policy and select Unspecified for the Type of network access server .
- 3. Select Next .
- 4. Select Add to specify conditions. If there are no restrictions, select Day and Time Restrictions and choose Permitted .
- 5. Select OK and then select Next .
- 6. On the Specify Access Permission page, select Access Granted .
- 7. Select Next .
- 8. On the Configure Authentication Methods page, select the checkbox for Unencrypted Authentication (PAP, SPAP) .
- 9. Select Next and select No when the pop-up box appears.
- 10. On the Configure Settings page, accept the default settings.
- 11. Select Next and review your configuration.
12. Select Finish .
Configure the NetScaler Authentication Policy and Server
This section will walk you through the process of configuring your NetScaler appliance Radius Authentication policy and server.
- 1. Open a web browser and connect to your NetScaler Management Interface using the NSIP (http://IPofNSIP)
- 2. Log in with your administrator credentials.
- 3. On the left-hand panel, expand NetScaler Gateway and then, under that, expand Policies . Under Policies , expand Authentication and select RADIUS.
4. In the right panel, select the Servers tab. Then select Add .
- 5. Enter a name for the RADIUS Server, its IP address and the secret key from step 3 in the Configure the NPS Server RADIUS Client section of this document (page 6 .
- 6. Click Test Connection. A response with a green background indicates all is well.
7. Click More , and for Password Encoding , select PAP .
- 8. At the bottom of the page, select Create .
- 9. Select the Policies tab and click Add .
- 10. Enter a RADIUS Policy name and, under Server, select the RADIUS server.
- 11. In the Expression Editor, enter the expression ns_true .
12. Click Create .
Configure the NetScaler Gateway Virtual Server
This section will walk you through creating a NetScaler Gateway Virtual Server with LDAP and Radius authentication.
1. In the left-hand panel, expand the NetScaler Gateway element and select Virtual Servers .
- 2. Select Add .
- 3. Under Basic Settings , enter a Name and IP Address for your NetScaler Gateway.
- 4. Select OK .
- 5. Under Certificate , select Server Certificate and then select the signed certificate for your Gateway.
- 6. Under Basic Authentication , select the + icon in the right panel, and then select LDAP for the Policy and Primary for the Type.
7. Click Continue and choose your existing LDAP policy.
Note that creating the LDAP policy and server is beyond the scope of this document.
- 8. Click Bind .
- 9. Under Basic Authentication , select the + icon in the right panel, then select RADIUS as the Policy and Secondary as the Type.
10. Click Continue . Then choose the RADIUS policy that was previously created.
11. Click Bind .
Configuration of other required NetScaler Gateway components is beyond the scope of this guide. Refer to the Citrix documentation for additional configuration information.
Deployment 3
Run the DigitalPersona AD NPS Plugin
1. On the NPS Server machine, from the DigitalPersona product package, right-click on the DigitalPersona (Altus) AD NPS Plugin and select Open .
2. On the Welcome page, click Next .
3. Accept the terms in the License Agreement and click Next .
4. Click Next .
5. Click Install .
6. Select Finish.
The RADIUS authentication request from the NetScaler Gateway will initially communicate with the DigitalPersona NPS Plugin. If the OTP is accepted, the NPS plugin forwards the request to the NPS Server.
Verification
Ensure that the DigitalPersona Server is up and reachable and that the test user has enrolled an OTP credential through the DigitalPersona Workstation.
- 1. Open a NetScaler Gateway portal web site (e.g. 'https://citrix.MyCompany.com/). It should now have three logon fields; for username, password, and OTP.
- 2. Log on with the test user's AD credentials and their enrolled OTP.
- 3. If logon is successful, the user will be redirected to the appropriate designated page as defined by the NetScaler Gateway.
Troubleshooting checkpoints
The main troubleshooting checkpoints are
- Windows Event logs on the NPS Server under Windows Logs -> Security.
- Windows Event logs on the StoreFront server.