NetScaler Gateway Dual Factor Authentication using SMS2
A big thank you to Steven Wright of SMS2 for helping me with this when I got stuck.
If you are going to be using SMS to receive your OTP you must sign up to a Cloud SMS service such as Text Local
If you will be using Google Authenticator, download the app from your app store.
Installing Network Policy Server
Select Network Policy and Access Services and click Next
Configuring NPS with a RADIUS client
Open Network Policy Server console
Expand RADIUS Clients and Servers
Right click RADIUS client and click New
Enter the NSIP of your NetScaler Gateway and configure a shared secret. You will need the shared secret when you configure the RADIUS policy on your NetScaler Gateway.
Configure NetScaler Gateway RADIUS Authentication Policy
Log into your NetScaler Gateway.
Expand Access Gatewa-->Policies-->Authentication-->Radius and click Add
Give the Policy a name and then click New next to Server
Give the Server a name, enter the IP address of your NPS Server, enter the shared key / secret created in the previous step and click Create.
In named Expressions select General and True value from the drop down and click Add Expression.
You show now see ns_true in the expressions box.
Now click Create
Click Configure AuthEngine
Copy and paste your license into this window and click Check License, and then Next
If you want to use the Local System account click Test Login and click Next.
Enter your ldap configuration and click Test
Note: If you set your base DN to an OU that DOES NOT contain your admin accounts, you will not be able to launch the SMS2 console.
To change this after install, open C:Program Files (x86)WrightCCS2SettingsConfiguration.xml and edit the line
You should get a message like this returned. Click OK then click Next
Enter the connection details to your database server and click Test Connection
You should get a message saying Test SQL Connection Sucessful
Click OK and click Next.
Now click on configure CloudSMS
Select the name of your Cloud SMS provider from the Samples drop down and hit Load. I used Textlocal.
Fill in the required details and click Next.
Click on Configure OATHCalc
Click Configure AdminGUI/Clients
Note: If you are getting a IAS/NPS message on this screen it is because you have not installed NPS role yet, go back and install it without exiting this screen. Then click Back and Typical and you will be able to proceed without having to redo the config.
Now click Next.
The Web Interface directory is not required if you are using NetScaler Gateway or just StoreFront.
Click Install and click Finish once it's complete.
Now Run SMS2 Administration from your Start Screen.
To configure SMS2 open the following file in a text editor.
C:Program Files (x86)WrightCCS2SettingsConfiguration.xml
I have found that I get the following message if the LDAP Base DN is set to anything else than the root of the domain.
To change this open
Open C:Program Files (x86)WrightCCS2SettingsConfiguration.xml
And edit the line
So that it is pointing to the root of the domain.
No Admin Rights
The first time I setup SMS2 my Domain Admin account was not configured as an Administrator in the SMS2 console and therefore I could only see my account in the Admin console.
To get around this run the following command with elevated rights
C:Program FilesWrightCCS2ServiceWright.MakeAdmin.exe" <configration.xml> <ad_username>
Where configuration.xml is the path to the configuration.xml as above and ad_username is the username of the person you want to make administrators (use domainusername)
After you have done this you will need to restart the WrightAuthEngine service.
Disabling / Enabling Providers
If you want to disable the Dual Factor Authentication providers that are available to users in the console
Under the <AuthProviders><Provider> section
Set <Enabled> to false as below
The Providers you disable will then no longer be available when you relaunch the console, as below.
Enable Challenge Response
In order for SMS2 to prompt you for your OTP after you have entered your PIN you must set the line below to true.
And add this line