Skip to main content
rcarreras
rcarreras
New Member
December 12, 2018
Question

Netscaler and Fortiauthenticator for 2FA Citrix Access

  • December 12, 2018
  • 2 replies
  • 12700 views

Hello,

 

We are implementing a PoC that integrates Wyse Thinclients + Netscaler / Citrix + Fortiauthenticator. We would need that Wyse thin clients ask the users for "user","password", and "token". Wyse thin clients are able to use two factor authentication logon configuring a .ini configuration file.

 

The problem that we have is related to Netscaler / Fortiauthenticator because we are trying to authenticate users to AD using LDAP and we have the following issue :

 

* Netscaler is configured with LDAP and RADIUS authentication policies, so Netscaler verifies user credentials ( not the token ) in the first authentication step. If credentials are wrong authentication is canceled. ( It's ok )

 

* If initial Netscaler LDAP authentication is ok, Netscaler is sending a Radius authentication request to Fortiauthenticator. But we have sniffed the Radius packet and is sending "user" and "token" as user's password. Fortiauthenticator tries to authenticate the user ( LDAP remote user ) to AD and it fails because the token code is not the user's AD password. Fortiauthenticator sends a Access-Reject packet to Netscaler and authentication is canceled.

 

* If I configure the Netscaler with only RADIUS authentication policy ( without LDAP ), Nestscaler is sending "user" and "password" correctly, and Fortiauthenticator sends a Radius challenge to Netscaler asking for the token code. If the token is correct authentication is allowed.

 

How can I configure Fortiauthenticator or Netscaler in order to make one of these goals ? :

 

* Netscaler with LDAP and RADIUS policy should first send user and password, and after the radius challenge, send the token code to fortiauthenticator. We have got it working only with a single RADIUS policy in Netscaler. When LDAP and RADIUS policies are configured, Netscaler only sends "user" + "token".

 

OR

 

* Configure fortiauthenticator for LDAP user verification ( without password verification ) and token code verification, so the initial "user"+"token" radius request packet would be ok.

 

Any idea ?

 

Thank you very much.

 

Ricard

 

 

 

 

 

 

    2 replies

    xsilver_FTNT
    Staff
    xsilver_FTNT
    Staff
    December 13, 2018

    Hi Ricard,

    FortiAuthenticator (FAC) is able to auth user against the LDAP and then verify the token.

    Token auth takes place only after user+pass is OK.

     

    From my point of view you can:

     

    1. remove Netscaler from authentication path, or offload all the authentication from Netscaler to FAC which can sync users from LDAP to 'Remote users' and assign them tokens, so user+pass will be authenticated towards LDAP, token auth locally

    2. or you can sync users from LDAP to FAC + assign tokens, and set RADIUS Client to auth only user+token, so Netscaler can make his own user+pass LDAP verification and offload/chain token auth to FAC

    rcarreras
    rcarrerasAuthor
    New Member
    December 14, 2018

    Hi Xsilver_FTNT.

     

    We have imported LDAP users locally and it's working fine. ( Option 2 )

     

    Thanks a lot!!

     

    Ricard

    ManCarreras
    ManCarreras
    New Member
    December 16, 2021

    Dear,

     

    Recently I've deployed one 2FA with Nestscaler and Fortiauthenticator + LDAP, I've imported the LDAP users and the authentication with 2FA is working.The problem arrives whe the user password expires, How can I send the password renewal to the user?

     

    My best regards and thank you in advance.

    Terms & ConditionsAccessibility statement