NetScaler Gateway Dual Factor Authentication using SMS2


A big thank you to Steven Wright of SMS2 for helping me with this when I got stuck.

 

SMS Authentication

If you are going to be using SMS to receive your OTP you must sign up to a Cloud SMS service such as Text Local

If you will be using Google Authenticator, download the app from your app store.

 

Installing Network Policy Server

Select Network Policy and Access Services and click Next

Add_Roles

Click Next

Add_Features

Click Next

NPS

Click Next

Add_Features

Click Install

Add_Role_Install

Configuring NPS with a RADIUS client

Open Network Policy Server console

Expand RADIUS Clients and Servers

Right click RADIUS client and click New

Enter the NSIP of your NetScaler Gateway and configure a shared secret. You will need the shared secret when you configure the RADIUS policy on your NetScaler Gateway.

New_RADIUS_Client

Configure NetScaler Gateway RADIUS Authentication Policy

Log into your NetScaler Gateway.

Expand Access Gatewa-->Policies-->Authentication-->Radius and click Add

Give the Policy a name and then click New next to Server

Give the Server a name, enter the IP address of your NPS Server, enter the shared key / secret created in the previous step and click Create.

Add_RADIUS_Policy

In named Expressions select General and True value from the drop down and click Add Expression.

You show now see ns_true in the expressions box.

Now click Create

New_RADIUS_Policy

Installing SMS2

Click Next

SMS2_Install_Start

Click Typical

SMS2_Install_Options

Click Configure AuthEngine

SMS2_Install_Options2

Copy and paste your license into this window and click Check License, and then Next

SMS2_License

If you want to use the Local System account click Test Login and click Next.

Enter your ldap configuration and click Test

SMS2_Install_LDAP

Note: If you set your base DN to an OU that DOES NOT contain your admin accounts, you will not be able to launch the SMS2 console.

To change this after install, open C:Program Files (x86)WrightCCS2SettingsConfiguration.xml and edit the line

  <ADBaseDN>DC=skynetcomputing,DC=local</ADBaseDN>

You should get a message like this returned. Click OK then click Next

SMS2_LDAP_Query

Enter the connection details to your database server and click Test Connection

SMS2_SQL_Connection

You should get a message saying Test SQL Connection Sucessful

Click OK and click Next.

Now click on configure CloudSMS

SMS2_Install_1

Click Next

SMS2_CloudSMS_Service

Select the name of your Cloud SMS provider from the Samples drop down and hit Load. I used Textlocal.

Fill in the required details and click Next.

SMS2_CloudSMS_Config

Click on Configure OATHCalc

SMS2_Install

Click Next

OathCalc_Service

Click Finish

OathCalc_Config

Click Configure AdminGUI/Clients

SMS2_Install_3

Click Finish.

SMS2_AdminGUI_Config

Note: If you are getting a IAS/NPS message on this screen it is because you have not installed NPS role yet, go back and install it without exiting this screen. Then click Back and Typical and you will be able to proceed without having to redo the config.

Now click Next.

SMS2_Install_4

The Web Interface directory is not required if you are using NetScaler Gateway or just StoreFront.

Click Next.

SMS2_WebInterface

Click Install and click Finish once it's complete.

SMS2_Install_Final

Now Run SMS2 Administration from your Start Screen.

SMS2_Administration

Configuring SMS2

To configure SMS2 open the following file in a text editor.

C:Program Files (x86)WrightCCS2SettingsConfiguration.xml

Base DN

I have found that I get the following message if the LDAP Base DN is set to anything else than the root of the domain.

Admin_Console_Error

To change this open

Open C:Program Files (x86)WrightCCS2SettingsConfiguration.xml

And edit the line

<ADBaseDN>OU=Accounts,DC=Domain,DC=local</ADBaseDN>

So that it is pointing to the root of the domain.

No Admin Rights

The first time I setup SMS2 my Domain Admin account was not configured as an Administrator in the SMS2 console and therefore I could only see my account in the Admin console.

To get around this run the following command with elevated rights

C:Program FilesWrightCCS2ServiceWright.MakeAdmin.exe" <configration.xml> <ad_username>

Where configuration.xml is the path to the configuration.xml as above and ad_username is the username of the person you want to make administrators (use domainusername)

After you have done this you will need to restart the WrightAuthEngine service.

Disabling / Enabling Providers

If you want to disable the Dual Factor Authentication providers that are available to users in the console

Providers_Config

Under the <AuthProviders><Provider> section

Set <Enabled> to false as below

<Provider>

  <Name>PINTAN</Name>

  <AdGroup />

  <Enabled>false</Enabled>

  <Default>false</Default>

  <Config />

</Provider>

The Providers you disable will then no longer be available when you relaunch the console, as below.

Providers_Config2

Enable Challenge Response

In order for SMS2 to prompt you for your OTP after you have entered your PIN you must set the line below to true.

<AuthEngineChallengeResponse>True</AuthEngineChallengeResponse>

And add this line

<AuthEnginePinCodeTokenSeperated>True</AuthEnginePinCodeTokenSeperated>