NetScaler Gateway Dual Factor using Yubikey
Yubikey is a hardware and software token made by Yubico. They also make a RADIUS appliance that can be made to work with NetScaler Gateway for dual factor authentication. The appliance is for vSphere but can be made to work with XenServer, as I explain below.
Obtaining the YubiRADIUS appliance
Download the virtual appliance from this link.
Once you fill in the form you will be emailed a link to the download which is 1.5 GBs in size.
Unpack all the files in the .zip to a location accessible from your XenCenter console
Importing the appliance into XenCenter
In XenCenter select File --> Import
Click Browse, select the .ovf file, and click Next
Choose the Pool or XenServer you want the appliance to be placed on and click Next
Select the Storage Resource where you want the appliance disk to be stored and click Next
Select the Network and click Next
Select to verify the manifest file and click Next
Don’t tick Use Operating System Fix Up and click Next
Select DHCP or enter an IP address for the transfer VM and click Next
If you tick Use Operating System Fix up or there is no DHCP server available the import will fail. In XenServer, go to View -->Hidden Objects and then delete the Transfer VM Object and start again.
Configuring the YubiRADIUS appliance
Once the appliance has finished importing you can boot it up and you should see this screen.
Click the yubikey part of the Window and you will be prompted to enter a password which is yubico.
Click on System-->Preferences-->Network Connections
Edit the Wired Auto Ethernet connection and enter an IP Address, Netmask, Default Gateway, and DNS server information.
Apply the settings, close the Network Connections windows and then Restart by using the System-->Shut Down option.
Once the appliance has rebooted you should be able to access it via a browser by using https://
Ignore the certificate warning and log in using username: yubikey password: yubico
After you login you will be prompted add a domain record. Enter the FQDN of your domain, e.g contoso.com
Now click on the Domain Tab and click your domain name that you entered earlier
Then click the User Import tab. Enter the IP address of a domain controller and the username and password to connect to the directory and then click Import Users
The username must be entered as a distinguished name. The easiest way to do this is to use Active Directory User and Computers with Advanced Features enabled (View menu), right click the OU where your Admin Account is and go to the Attribute editor tab and copy the distinguishedName filed then add cn=account name before this.
The admin accounts in my lab domain normally start with a “–“, it would not work with this and I had to use a different account so watch out for strange characters in your admin accounts.
If you leave the Base DN as the root of your domain the appliance is going to import every single account in your domain into the appliance. Not only is this messy but it is also less secure.
I keep all my user accounts in one OU so I specified this as the Base DN
You can select a schedule to have users imported in every hour or every day or every week.
Once you have successfully imported your users if you click back to the Users/Groups tab you should see a list of the users in your domain.
Configuring a Radius client (NetScaler Gateway)
Click the Configuration tab
Enter the NSIP of your NetScaler Gateway as the client IP and create a shared secret then click Add
Edit Files on Yubico Appliance to make it work with NetScaler Gateway
Out of the box, if you do not make any changes to the YubiRADIUS appliance users have to enter their username, and domain password in the normal places and then their domain password and Yubikey OTP in the secondary authentication box on the NetScaler Gateway screen. Obviously this isn't ideal.
James Trevaskis wrote a blog post and a patch file to make the YubiRADIUS appliance work with NetScaler Gateway so that users do not have to enter their domain password in the secondary password field. Unfortunately his patch file does not work with the latest version of YubRADIUS. The good news is that by following this blog post I was able to work out how to manually apply the patches to the files on the YubiRADIUS appliance.
The patched version of ropverify.php is available to download from my site here.
Just connect to the YubRADIUS appliance using WinSCP.
Navigate to /var/www/wsapi
Backup your original ropverify.php and then replace it with the one above.
Configure NetScaler Gateway RADIUS Authentication Policy
Log into your NetScaler Gateway.
Expand Access Gatewa-->Policies-->Authentication-->Radius and click Add
Give the Policy a name and then click New next to Server
In named Expressions select General and True value from the drop down and click Add Expression.
You show now see ns_true in the expressions box.
Now click Create
Assign a YubiKey to a user
On the YubiRADIUS admin page click on your domain name and click on Users/Groups.
Click on Assign a new YubiKey and enter the username and hold down the button on your YubiKey to enter the OTP.