Transcription
30/07/2019Native One Time Passwords (OTP) – Citrix Gateway 13 – Carl StalhoodCarl StalhoodFilling gaps in EUC vendor documentationNative One Time Passwords (OTP) – CitrixGateway 13Last Modified: May 30, 2019 @ 6:41 pm 7 CommentsNavigationChange LogOverviewCitrix ADC Configuration Objects for OTPAAA vServerPush ServiceLDAP Policies/ActionsnFactor VisualizerFirst Factor to select Manage or AuthenticateSecond Factor for LDAP before manageotpThird Factor for manageotpSecond Factor for LDAP before OTP AuthenticationThird Factor for OTP AuthenticationBind nFactor Flow to AAA vServerNumber of Registered OTP DevicesTraffic Policy for Single Sign-onCitrix Gateway and Authentication ProfileUpdate Content Switching Expression for Unified GatewayManageotp User ExperienceOTP Authentication User time-passwords-otp-citrix-gateway-13/1/68
30/07/2019Native One Time Passwords (OTP) – Citrix Gateway 13 – Carl StalhoodCLI CommandsChange LogNew OTP features in ADC 13:Push NotificationsnFactor VisualizerMaximum number of registered devices per userOverviewCitrix ADC 13 Native OTP lets you enable two-factor authentication without purchasingany other authentication product. A typical configuration uses Citrix SSO app (mobile VPNClient) to receive push notifications, or Google Authenticator to generate Passcodes. See thefollowing for an overview:YouTube video NetScaler Unified Gateway One Time PasswordCitrix Blog Post NetScaler Unified Gateway Provides One Time Password (OTP),NativelyCitrix CTX228454 NetScaler One Time Password (OTP) Guide for Dual Authenticationor RegistrationHere are some notes and requirements for Native OTP:Licensing – Citrix ADC Native OTP is part of nFactor, and thus requires Citrix ADCAdvanced Edition or Citrix ADC Premium Edition licensing. Citrix ADC StandardEdition licensing is not sufficient.OTP Push Notifications require ADC Premium EditionWorkspace app 1809 and newer with Citrix Gateway 12.1 build 49 and newer supportnFactor authentication. Older Receivers and older NetScalers don’t support nFactorwith Receiver, so you’ll instead have to use a web me-passwords-otp-citrix-gateway-13/2/68
30/07/2019Native One Time Passwords (OTP) – Citrix Gateway 13 – Carl StalhoodCitrix Gateway VPN Plug-in 12.1 build 49 and later support nFactor whenauthenticating from the VPN me-passwords-otp-citrix-gateway-13/3/68
30/07/2019Native One Time Passwords (OTP) – Citrix Gateway 13 – Carl StalhoodPush notifications – Citrix ADC 13 and newer supports OTP push notifications oflogon request to the mobile (iOS, Android) Citrix SSO app. Other authenticator asswords-otp-citrix-gateway-13/4/68
30/07/2019Native One Time Passwords (OTP) – Citrix Gateway 13 – Carl Stalhoodare not supported for OTP Push, but they can be used with OTP Passcode.Authenticator – If not using Citrix SSO app, then Google Authenticator can generatepasscodes. Christian in the comments indicated that Microsoft Authenticator alsoworks. Click on plus sign - other (Google, ).Internet for Push – Push notifications requires the Citrix ADC appliance to be able tosend API calls across the Internet to Citrix Cloud.Active Directory attribute – Citrix ADC stores OTP device enrollment secrets in anstring-based Active Directory attribute. Citrix’s documentation uses theuserParameters Active Directory attribute.The LDAP bind account must have permission to modify this attribute on everyuser.The userParameters attribute must not be populated. Active Directory Users &Computers might set the userParameters attribute if you modify any of the sswords-otp-citrix-gateway-13/5/68
30/07/2019Native One Time Passwords (OTP) – Citrix Gateway 13 – Carl Stalhoodproperty pages.Enroll multiple devices – Citrix ADC 13 and newer lets you control the number ofdevices that a user can enroll.Manageotp is difficult to secure – The manageotp website is usually only protectedby single factor authentication so external access must be blocked.Notes on Citrix ADC Configuration Objects for OTPHere are some notes on the Citrix ADC OTP configuration objects. Detailed instructions areprovided later.Make sure NTP is configured on the Citrix ADC. Accurate time is required.AAA vServer – nFactor requires a AAA vServer, which can be non-addressable. Youdon’t need any additional public IP for OTP.An Authentication Profile links the AAA vServer to the Citrix Gateway vServer.Citrix Cloud – For Push notifications, create a Citrix Cloud account. No Citrix Cloudlicensing needed. Citrix ADC uses Cloud API credentials to authenticate with CitrixCloud.NSC TASS cookie – To access the manageotp web page, users add /manageotp to theend of the Gateway URL. Citrix ADC puts this URL path into a cookie called NSC TASS.You can use this cookie and its value in policy expressions for determining whichLogin Schema is shown to the user.Login Schema for manageotp – The built-in Login Schema file namedSingleAuthManageOTP.xml has hidden fields that enable the manageotp web page.If the Login Schema Policy expression permits the SingleAuthManageOTP.xml LoginSchema to be shown to the user, then after authentication the user will be taken to themanageotp web passwords-otp-citrix-gateway-13/6/68
30/07/2019Native One Time Passwords (OTP) – Citrix Gateway 13 – Carl StalhoodLDAP authentication is expected to be bound to the same factor as thisSingleAuthManageOTP login schema.The next factor is a LDAP Policy/Server with authentication disabled (unchecked)but with arguments specifying the Active Directory attribute for the OTP Secretand Push Service configuration.Login Schema for OTP authentication – The built-in Login Schema file namedDualAuthPushOrOTP.xml performs the two-factor authentication utilizing the pushservice. There’s a checkbox that lets users choose Passcode instead of Push. This loginschema has a Credential called me-passwords-otp-citrix-gateway-13/7/68
30/07/2019Native One Time Passwords (OTP) – Citrix Gateway 13 – Carl StalhoodIf you prefer to not use Push, then you can use a normal DualAuth.xml LoginSchema file since for passcode authentication there are no special Login Schemarequirements other than collecting two password fields.Both methods expect an authenticating LDAP Policy/Server to be bound to thesame Factor as the Login Schema.The next factor should be a non-authenticating LDAP Policy/Server that optionallyhas the the Push Service defined and must have the OTP Secret attribute defined.Single Sign-on to StoreFront – The OTP dual authentication Login Schema essentiallycollects two passwords (AD password plus push, or AD password plus passcode).Later, Citrix Gateway needs to use the AD password to perform Single Sign-on toStoreFront. To ensure the AD password is used instead of the OTP passcode, configurethe OTP dual authentication Login Schema to store the AD password in a AAAattribute and then use a Citrix Gateway Traffic Policy/Profile to utilize the AAAattribute during Single Sign-on to StoreFront.nFactor Visualizer – Citrix ADC 13 has a nFactor Visualizer to simplify the OTPconfiguration. Or you can manually create the LDAP Policies/Actions, the LoginSchema Policies/Profiles, the PolicyLabels, and then bind them to a AAA me-passwords-otp-citrix-gateway-13/8/68
30/07/2019Native One Time Passwords (OTP) – Citrix Gateway 13 – Carl StalhoodAAA Virtual ServerCreate a AAA vServer that is the anchor point for our OTP nFactor configuration.1. Go to Security AAA – Application Traffic.2. If the AAA feature is not enabled, then right-click the AAA node, and click EnableFeature.3. Go to Security AAA – Application Traffic Virtual Servers.4. On the right, click Add.5. This AAA vServer is for OTP so name it accordingly.6. Change the IP Address Type to Non Addressable. You don’t need to specify anyadditional IP me-passwords-otp-citrix-gateway-13/9/68
30/07/2019Native One Time Passwords (OTP) – Citrix Gateway 13 – Carl Stalhood7. Click the blue OK button.8. Click where it says No Server Certificate.a. In the Server Certificate Binding section, click Click to select.b. Click the radio button next to a certificate, and then click the blue Select button atthe top of the page. You can select the same certificate as the Citrix e-passwords-otp-citrix-gateway-13/10/68
30/07/2019Native One Time Passwords (OTP) – Citrix Gateway 13 – Carl StalhoodVirtual Server.c. Click Bind.9. Click Continue to close the Certificate section.10. In the Advanced Authentication Policies section, don’t bind anything and just clickContinue. We’ll bind a nFactor Flow -passwords-otp-citrix-gateway-13/11/68
30/07/2019Native One Time Passwords (OTP) – Citrix Gateway 13 – Carl Stalhood11. You can optionally improve the SSL ciphers on this AAA Virtual Server but it’sprobably not necessary since this AAA vServer is not directly addressable.12. Nothing else is needed at this time so click the blue back arrow on the top left.Push ServiceIf your Citrix ADC has Internet access, then you can enable OTP Push Authentication. TheADC must be able to reach the following eate an API Client at citrix.cloud.com:1. Go to https://citrix.cloud.com and login. Your cloud account does not need any licensedservices.2. On the top left, click the hamburger (menu) icon, and then click Identity and ve-one-time-passwords-otp-citrix-gateway-13/12/68
30/07/2019Native One Time Passwords (OTP) – Citrix Gateway 13 – Carl Stalhood3. Switch to the tab named API Access.4. On this page, notice the Customer ID. You’ll need this value later.5. Enter a name for a new API client and then click Create -passwords-otp-citrix-gateway-13/13/68
30/07/2019Native One Time Passwords (OTP) – Citrix Gateway 13 – Carl Stalhood6. Click Download to download the client credentials.On ADC 13, create the Push Service:1. In Citrix ADC 13 management GUI, navigate to the Push Service node. The easiest wayto find it is to enter Push in the search box on the top left.2. On the right, click Add.3. In the Create Push Service page, do the following:a. Enter a name for the Push Service.b. Enter the Client ID and Client Secret that you downloaded when creating yourAPI Client.c. Enter the Customer ID shown on the Create Client web page at cloud.com. Makesure there are no hidden characters or whitespace around the Customer sswords-otp-citrix-gateway-13/14/68
30/07/2019Native One Time Passwords (OTP) – Citrix Gateway 13 – Carl Stalhood4. Click Create.5. On the top right, click the refresh icon until the Status changes to COMPLETE. If itwon’t go past CCTOKEN, then make sure you entered the API Client info correctly,especially the Customer ID, which might have hidden characters around it.LDAP Actions/ServersCreate three LDAP Actions (aka LDAP Servers):One LDAP Action for normal LDAP authentication against Active DirectoryOne LDAP Action to set the OTP Active Directory attribute and register with pushOne LDAP Action to perform push authentication (in a dual-authentication flow)Create normal LDAP -passwords-otp-citrix-gateway-13/15/68
30/07/2019Native One Time Passwords (OTP) – Citrix Gateway 13 – Carl Stalhood1. Go to Security AAA – Application Traffic Policies Authentication AdvancedPolicies Actions LDAP.2. On the right, click Add.3. Create a normal LDAP Server if you don’t have one already. This one hasAuthentication enabled. There are no special instructions for this LDAP Server.Create LDAP Action for OTP Device RegistrationCreate the LDAP Action for OTP device registration that sets the OTP Active Directoryattribute and registers with push:1. Create another LDAP e-passwords-otp-citrix-gateway-13/16/68
30/07/2019Native One Time Passwords (OTP) – Citrix Gateway 13 – Carl Stalhood2. Name it according to this goal: used by the manageotp web site to set the OTPauthenticator in Active Directory.3. On the right, uncheck the box next to Authentication.4. Make sure the Administrator Bind DN has permissions to modify the OTP SecretActive Directory attribute for all users. A regular non-admin LDAP Bind account won’twork.5. If you cloned an existing LDAP Server, then make sure you re-enter the AdministratorPassword or the new LDAP Action won’t work.6. Click Test LDAP Reachability.7. Configure the Server Logon Name Attribute to match the one you configured in thenormal authentication LDAP e-passwords-otp-citrix-gateway-13/17/68
30/07/2019Native One Time Passwords (OTP) – Citrix Gateway 13 – Carl Stalhood8. In the Other Settings section, on the bottom right, find the OTP Secret field. Enter thename of the Active Directory attribute where Citrix ADC will store the user’s OTPsecret. You can use the userParameters attribute if that attribute isn’t being used foranything else.userParameters is populated by Active Directory Users & Computers if you setanything on the RDS tabs (e.g. RDS Roaming Profile).9. Select the Push Service that you created earlier.10. Click Create when done.Create LDAP Action for OTP AuthenticationCreate a LDAP Action that performs OTP push authentication or verifies the OTP Passcode.The only difference from the prior LDAP Action is the addition of an LDAP Search Filter.1. Create another LDAP Action.2. Give the LDAP Action a passwords-otp-citrix-gateway-13/18/68
30/07/2019Native One Time Passwords (OTP) – Citrix Gateway 13 – Carl Stalhood3. On the right, uncheck the box next to Authentication.4. Make sure the Administrator Bind DN has permissions to read the OTP Secret ActiveDirectory attribute.5. If you cloned an existing LDAP Server, then make sure you re-enter the AdministratorPassword or the new LDAP Action won’t work.6. Click Test LDAP Reachability.7. In the Other Settings section, configure the Server Logon Name Attribute to matchthe one you configured in the normal authentication LDAP Server.8. In the Search Filter field, enter the text userParameters #@. This syntax ensuresthat only users with enrolled authenticators can login. See George Spiers ime-passwords-otp-citrix-gateway-13/19/68
30/07/2019Native One Time Passwords (OTP) – Citrix Gateway 13 – Carl Stalhoodnative OTP for more info.9. In the Other Settings section, on the bottom right, find the OTP Secret field. Enter thename of the Active Directory attribute containing the user’s OTP secret.10. In the Push Service drop-down, select the Push Service that you already created.11. Click Create when done.nFactor VisualizerWe will build a nFactor Flow that looks something like passwords-otp-citrix-gateway-13/20/68
30/07/2019Native One Time Passwords (OTP) – Citrix Gateway 13 – Carl StalhoodFirst factor on the left chooses either OTP Device Registration or OTP Authentication.If user enters /manageotp, then nFactor Flow takes the top path. Otherwise, nFactorflow takes the bottom path.Login Schema is not needed for the first factor.Second factor for Manage OTP Login Schema with Manage OTP flag and normalLDAP authentication before allowing users to add devices.Third factor is just an LDAP Policy configured with the OTP Active Directoryattribute and Push Service. No Login Schema needed.Second factor for OTP Authentication Login Schema with OTP Push (or OTPPasscode) and normal LDAP authentication.Third factor is just an LDAP Policy with the OTP Active Directory attribute andPush Service. No Login Schema needed.nFactor Visualizer notes:nFactor Visualizer is not required. You can instead follow the older manual ADC 12.1instructions.It doesn’t seem to be possible to rename any part of the flow once it’s created. Torename, you basically remove the entire flow and rebuild it.nFactor Visualizer does not support policy expressions for Login Schemas so the olderADC 12.1 instructions must be modified to support two different branches.Create Flow and first factor that selects Manage or selects Authenticate1. In ADC 13, go to Security AAA – Application Traffic nFactor Visualizer nFactor Flows. Or search the menu for me-passwords-otp-citrix-gateway-13/21/68
30/07/2019Native One Time Passwords (OTP) – Citrix Gateway 13 – Carl Stalhood2. On the right, click Add.3. Click the blue plus icon to create a factor.4. Name the factor based on this goal: choose manageotp or authenticate based onwhether the user entered /manageotp or not. The name of the first factor is also thename of the nFactor Flow.5. Click the blue Create e-passwords-otp-citrix-gateway-13/22/68
30/07/2019Native One Time Passwords (OTP) – Citrix Gateway 13 – Carl Stalhood6. The first factor does not need a Schema.7. In the first factor, click where it says Add Policy.8. In the Choose Policy to Add page, click Add to create an authentication policy.a. Name this policy according to this goal: if this policy’s expression is true, thenselect the manageotp branch (instead of OTP authentication).b. For the Action Type drop-down, select NO AUTHN. This policy is merely adecision point for the next factor so no actual authentication will occur at thistime. The next factor is configured later.c. In the Expression box, enter something similar to the following. The IP subnetexpression restricts the manageotp web page to only internal users.http.req.cookie.value("NSC TASS").eq("manageotp") &&client.IP.SRC.IN 8
30/07/2019Native One Time Passwords (OTP) – Citrix Gateway 13 – Carl Stalhoodd. Then click the blue Create button.9. Click the blue Add button to bind this policy to the factor.10. In the first factor, below the policy you just added, click the blue plus arrow to createanother e-passwords-otp-citrix-gateway-13/24/68
30/07/2019Native One Time Passwords (OTP) – Citrix Gateway 13 – Carl Stalhood11. In the Choose Policy to Add page, click Add to create another policy.a. Name the policy according to this goal: select the dual factor OTP authenticationbranch.b. For the Action Type drop-down, select NO AUTHN. This is a decision point policywithout authentication that leads to the next factor that does the actualauthentication.c. In the Expression box, enter true to capture all OTP users that did not match theprior manageotp e-passwords-otp-citrix-gateway-13/25/68
30/07/2019Native One Time Passwords (OTP) – Citrix Gateway 13 – Carl Stalhoodd. Click the blue Create button.12. Click Add to bind this policy to the first factor but after (higher priority number) thanthe manageotp policy.Create second factor for ime-passwords-otp-citrix-gateway-13/26/68
30/07/2019Native One Time Passwords (OTP) – Citrix Gateway 13 – Carl Stalhood1. In the first factor, click the green plus icon to the right of the “SelectManageOTP”policy. If the “SelectManageOTP” policy is true, then this new factor will be evaluated.2. Name this factor according to this goal: perform single-factor LDAP authenticationbefore allowing access to the manageotp web page.3. Then click the blue Create button.4. In the second factor, click where it says Add e-passwords-otp-citrix-gateway-13/27/68
30/07/2019Native One Time Passwords (OTP) – Citrix Gateway 13 – Carl Stalhood5. In the Choose Schema page, click Add to create a Login Schema.a. Name the Login Schema according to this goal: ask user for one password thatwill be verified with LDAP (Active Directory) before showing the manageotp webpage.b. In the Authentication Schema field, click the pencil icon.c. The existing window expands to show the Login Schema Files. On the left, clickthe LoginSchema folder to see the files in that folder.d. In the list of files, click SingleAuthManageOTP.xml. This login schema asks forone password and has the special hidden credential to enable the ime-passwords-otp-citrix-gateway-13/28/68
30/07/2019Native One Time Passwords (OTP) – Citrix Gateway 13 – Carl Stalhoodweb page.e. To actually select this file, on the top right, click the blue Select button. The LoginSchema window will then collapse so that Login Schema Files are no longershown.f. Make sure the Authentication Schema field shows the Login Schema file thatyou selected.g. Then click the blue Create e-passwords-otp-citrix-gateway-13/29/68
30/07/2019Native One Time Passwords (OTP) – Citrix Gateway 13 – Carl Stalhood6. Click OK to bind the Schema to the factor.7. In the second factor, below the Schema, click Add Policy.8. In the Choose Policy to Add page, if you already have a normal Advanced ExpressionLDAP policy, then select it.9. Otherwise, click Add to create one.a. Name this policy according to this goal: perform normal LDAP authenticationagainst an Active Directory domain.b. In the Action Type drop-down, select LDAP.c. In the Action drop-down, select the LDAP Action/Server you created earlier thatperforms normal authentication.d. In the Expression box, enter true, which is an Advanced -time-passwords-otp-citrix-gateway-13/30/68
30/07/2019Native One Time Passwords (OTP) – Citrix Gateway 13 – Carl Stalhoode. Click the blue Create button.10. Click Add to bind this LDAP Policy to the factor.Create third factor that registers an OTP device with Active Directory and asswords-otp-citrix-gateway-13/31/68
30/07/2019Native One Time Passwords (OTP) – Citrix Gateway 13 – Carl Stalhood1. In the second factor, click the green plus icon to create another factor. This new factoris only evaluated if the LDAP Policy is successful.2. Name the factor according to this goal: register the device with Active Directory andoptionally Push.3. This factor does not need any Schema.4. In the third factor, click Add -passwords-otp-citrix-gateway-13/32/68
30/07/2019Native One Time Passwords (OTP) – Citrix Gateway 13 – Carl Stalhood5. In the Choose Policy to Add page, click Add to create a policy.a. Name the policy according to this goal: Register OTP devices using LDAP Actionwithout authentication that has the OTP Secret Attribute specified.b. In the Action Type drop-down, select LDAP.c. In the Action drop-down, select the LDAP Action you created earlier that registersnew devices. Make sure authentication is disabled in the LDAP Action, and makesure it has OTP Secret and optionally OTP Push configured.d. In the Expression field, enter true.e. Click the blue Create e-passwords-otp-citrix-gateway-13/33/68
30/07/2019Native One Time Passwords (OTP) – Citrix Gateway 13 – Carl Stalhood6. Click the blue Add button to bind this policy to the factor.The Factors for manageotp are complete. Now we build the factors for authenticatingusing OTP.Create a second factor for LDAP Authentication1. Go back to the first factor and click the green plus icon next to the OTP Authenticationpolicy.2. Name the factor according to this goal: ask user for one password push, or twopasswords, and then perform LDAP authentication. OTP authentication is ime-passwords-otp-citrix-gateway-13/34/68
30/07/2019Native One Time Passwords (OTP) – Citrix Gateway 13 – Carl Stalhoodin the next factor (see below).3. In the second factor, click where it says Add Schema.4. In the Choose Schema window, click Add.a. Name the Login Schema according to this goal: ask for one password OTP push,or ask for two time-passwords-otp-citrix-gateway-13/35/68
30/07/2019Native One Time Passwords (OTP) – Citrix Gateway 13 – Carl Stalhoodb. In the Authentication Schema field, click the pencil icon.c. The window expands to show Login Schema Files. On the left, click theLoginSchema folder to see the files under it.d. On the left, click the DualAuthPushOrOTP.xml file.e. Or if you don’t want push, then click a normal two password schema likeDualAuth.xml. You can modify the DualAuth.xml file to indicate to the user thatthe OTP Passcode is expected in the second field.f. Then on the top right click the blue Select button. This causes the Login Schemawindow to collapse and no longer show the Login Schema -passwords-otp-citrix-gateway-13/36/68
30/07/2019Native One Time Passwords (OTP) – Citrix Gateway 13 – Carl Stalhoodg. In the Authentication Schema field, makes sure the correct file name is selected.h. Click More.i. At the bottom, in the Password Credential Index field, enter a 1 to save the firstpassword into AAA Attribute 1, which we’ll use later in a Traffic Policy thatperforms Single Sign-on to -time-passwords-otp-citrix-gateway-13/37/68
30/07/2019Native One Time Passwords (OTP) – Citrix Gateway 13 – Carl Stalhoodj. Then click the blue Create button.5. Click OK to bind the Schema to the factor.6. In the second factor, below the schema, click where it says Add Policy.7. In the Select Policy drop-down, select your normal LDAP Active Directoryauthentication policy. This is the same one you used for the second factor in themanageotp e-passwords-otp-citrix-gateway-13/38/68
30/07/2019Native One Time Passwords (OTP) – Citrix Gateway 13 – Carl Stalhood8. Click the blue Add button to bind this LDAP policy to the second factor.Create third factor to perform OTP authentication (Push or Passcode)1. In the second factor, click the green plus icon next to the LDAP Policy to createanother factor.2. Name the factor according to this goal: perform OTP Push or Passcode -one-time-passwords-otp-citrix-gateway-13/39/68
30/07/2019Native One Time Passwords (OTP) – Citrix Gateway 13 – Carl Stalhood3. Be aware that the nFactor Visualizer might swap your third factors.4. This third factor does not need a Login Schema.5. In the new third factor (probably the top one, follow the arrows), click where itsays Add Policy.6. In the Choose Policy to Add page, click Add to create a policy.a. Name this policy according to this goal: perform OTP Push or OTP Passcodeauthentication.b. In the Action Type drop-down, select LDAP.c. In the Action drop-down, select the LDAP action you created earlier that verifiesthe OTP push or passcode. This is the Action that has the LDAP Filter configured.d. In the Expression box, enter passwords-otp-citrix-gateway-13/40/68
30/07/2019Native One Time Passwords (OTP) – Citrix Gateway 13 – Carl Stalhoode. Click the blue Create button.7. Click the blue Add button to bind this policy to the third e-passwords-otp-citrix-gateway-13/41/68
30/07/2019Native One Time Passwords (OTP) – Citrix Gateway 13 – Carl Stalhood8. Click the blue Done button to close the Flow.Bind nFactor Flow to AAA Virtual Server1. In the nFactor Flows menu node, highlight the nFactor Flow and click the buttonlabelled Bind to Authentication Server.2. In the Authentication Server drop-down, select the AAA vServer you created me-passwords-otp-citrix-gateway-13/42/68
30/07/2019Native One Time Passwords (OTP) – Citrix Gateway 13 – Carl Stalhood3. Everything else should already be filled in so just click the blue Create button.Maximum Number of Registered OTP DevicesADC 13 lets you restrict the number of OTP devices each user can register:1. In the ADC menu, go to Security AAA – Application Traffic.2. On the right, click Change authentication AAA OTP time-passwords-otp-citrix-gateway-13/43/68
30/07/2019Native One Time Passwords (OTP) – Citrix Gateway 13 – Carl Stalhood3. Enter the number of devices each user can register and then click OK.4. When the user attempts to register more than the max number of devices, the errormessage is not user ime-passwords-otp-citrix-gateway-13/44/68
30/07/2019Native One Time Passwords (OTP) – Citrix Gateway 13 – Carl Stalhood5. But you can see the actual error by grepping /var/log/ns.log for otp. which mightshow Max permitted otp devices reached .Traffic Policy for Single Sign-on to StoreFrontCreate Traffic Profile1. On the left, go to Citrix Gateway Policies Traffic.2. On the right, switch to the tab named Traffic Profiles, and click Add.3. Name the Traffic Profile according to this goal: use the AAA attribute 1 as passwordwhen doing Single Sign-on to -time-passwords-otp-citrix-gateway-13/45/68
30/07/
Workspace app 1809 and newer with Citrix Gateway 12.1 build 49 and newer support nFactor authentication. Older Receivers and older NetScalers don’t support nFactor with Receiver, so you’ll instead have to use a web browser. 30/07/2019 Native One
