Yubikey is a hardware and software token made by Yubico. They also make a RADIUS appliance that can be made to work with NetScaler Gateway for dual factor authentication. The appliance is for vSphere but can be made to work with XenServer, as I explain below.

Obtaining the YubiRADIUS appliance

Download the virtual appliance from this link.

http://www.yubico.com/products/services-software/yubiradius/download/

Once you fill in the form you will be emailed a link to the download which is 1.5 GBs in size.

Unpack all the files in the .zip to a location accessible from your XenCenter console

Importing the appliance into XenCenter

In XenCenter select File --> Import

Click Browse, select the .ovf file, and click Next

Choose the Pool or XenServer you want the appliance to be placed on and click Next

Select the Storage Resource where you want the appliance disk to be stored and click Next

Select the Network and click Next

Select to verify the manifest file and click Next

Don’t tick Use Operating System Fix Up and click Next

Select DHCP or enter an IP address for the transfer VM and click Next

If you tick Use Operating System Fix up or there is no DHCP server available the import will fail. In XenServer, go to View -->Hidden Objects and then delete the Transfer VM Object and start again.

Delete_Transver_VM

Configuring the YubiRADIUS appliance

Once the appliance has finished importing you can boot it up and you should see this screen.

Click the yubikey part of the Window and you will be prompted to enter a password which is yubico.

YubiRADIUS_Boot_Screen

Click on System-->Preferences-->Network Connections

Configure_Network

Edit the Wired Auto Ethernet connection and enter an IP Address, Netmask, Default Gateway, and DNS server information.

Apply the settings, close the Network Connections windows and then Restart by using the System-->Shut Down option.

Once the appliance has rebooted you should be able to access it via a browser by using https://

Ignore the certificate warning and log in using username: yubikey password: yubico

After you login you will be prompted add a domain record. Enter the FQDN of your domain, e.g contoso.com

Configure_Domain

Import Users

Now click on the Domain Tab and click your domain name that you entered earlier

Import_Users

Then click the User Import tab. Enter the IP address of a domain controller and the username and password to connect to the directory and then click Import Users

The username must be entered as a distinguished name. The easiest way to do this is to use Active Directory User and Computers with Advanced Features enabled (View menu), right click the OU where your Admin Account is and go to the Attribute editor tab and copy the distinguishedName filed then add cn=account name before this.

The admin accounts in my lab domain normally start with a “–“, it would not work with this and I had to use a different account so watch out for strange characters in your admin accounts.

If you leave the Base DN as the root of your domain the appliance is going to import every single account in your domain into the appliance. Not only is this messy but it is also less secure.

I keep all my user accounts in one OU so I specified this as the Base DN

You can select a schedule to have users imported in every hour or every day or every week.

LDAP_settings

Once you have successfully imported your users if you click back to the Users/Groups tab you should see a list of the users in your domain.

Configuring a Radius client (NetScaler Gateway)

Click the Configuration tab

Enter the NSIP of your NetScaler Gateway as the client IP and create a shared secret then click Add

RADIUS_Client

Edit Files on Yubico Appliance to make it work with NetScaler Gateway

Out of the box, if you do not make any changes to the YubiRADIUS appliance users have to enter their username, and domain password in the normal places and then their domain password and Yubikey OTP in the secondary authentication box on the NetScaler Gateway screen. Obviously this isn't ideal.

James Trevaskis wrote a blog post and a patch file to make the YubiRADIUS appliance work with NetScaler Gateway so that users do not have to enter their domain password in the secondary password field. Unfortunately his patch file does not work with the latest version of YubRADIUS. The good news is that by following this blog post I was able to work out how to manually apply the patches to the files on the YubiRADIUS appliance.

The patched version of ropverify.php is available to download from my site here.

Just connect to the YubRADIUS appliance using WinSCP.

Navigate to /var/www/wsapi

Backup your original ropverify.php and then replace it with the one above.

Configure NetScaler Gateway RADIUS Authentication Policy

Log into your NetScaler Gateway.

Expand Access Gatewa-->Policies-->Authentication-->Radius and click Add

Give the Policy a name and then click New next to Server

Give the Server a name, enter the IP address of the Yubico appliance, enter the shared key / secret created in the previous step and click Create. Add_RADIUS_Policy

In named Expressions select General and True value from the drop down and click Add Expression.

You show now see ns_true in the expressions box.

Now click Create

Configure_RADIUS_Policy

Assign a YubiKey to a user

On the YubiRADIUS admin page click on your domain name and click on Users/Groups.

Assign Yubikey

Click on Assign a new YubiKey and enter the username and hold down the button on your YubiKey to enter the OTP.