Configure SMS OTP for Web authentication
NetScaler can now be integrated with a third party SMS provider to provide an extra layer of authentication.
NetScaler appliance can be configured to send an OTP on the user’s mobile as a second factor of authentication. The appliance presents the user with a logon form to enter the OTP after successful AD login. It is only after the successful validation of SMS OTP authentication that the user is presented with the requested resource.
To achieve SMS OTP authentication, the NetScaler appliance relies on the following factors in the back end.
- Authenticate the user using LDAP authentication and extract the user’s mobile number.
- Create OTP and store it in the NS variable. Configuring and using variables.
- Send the OTP via WebAuth authentication method to the mobile number extracted from LDAP.
- Validate the OTP.
Prerequisites
Enable features and add SNIP
Run the following commands to enable the features required for this configuration:
enable ns feature LB SSL SSLVPN AAA
add ns ip <SNIP-IP> <subnet mask> -type SNIP
<!--NeedCopy-->
Configure OTP store
Admins must set up a database/store to save OTPs used for SMS authentication.
The recommended configuration range for the expires
parameter (OTP expiration) is 30 to 180 seconds. Any value outside this range might result in a failed SMS OTP configuration and nFactor flow.
add ns variable otp_store -type "map(text(65),text(6),100000)" -ifValueTooBig undef -ifNoValue undef -expires 60
<!--NeedCopy-->
Generate random OTP per user session
Use the following command to generate a 6-digit random OTP per user session and save it in the OTP store.
add ns assignment generate_otp -variable "$otp_store[AAA.USER.SESSIONID]" -set ("000000" + SYS.RANDOM.MUL(1000000).TYPECAST_UNSIGNED_LONG_AT.TYPECAST_TEXT_T).SUFFIX(6)
<!--NeedCopy-->
Configure SMS OTP authentication with NetScaler
-
Before you configure the SMS two factor authentication feature, you must have an LDAP authentication configured on a NetScaler appliance as first factor with authentication enabled. For instructions to configure LDAP authentication, see To configure LDAP authentication by using the configuration utility.
-
Configure LDAP and extract the mobile number to be used for SMS OTP authentication.
Sample first factor configuration
Configure LDAP as the first factor for authentication.
add authentication ldapAction ldap_extraction_action -serverIP <IP_Adress> -ldapBase OU=Sanity,dc=aaa,dc=local -ldapBindDn administrator@aaa.local -ldapBindDnPassword <password> -ldapLoginName samaccountname -groupAttrName memberof -subAttributeName CN -authentication disabled
add authentication Policy ldap_extraction_policy -rule true -action ldap_extraction_action
<!--NeedCopy-->
Note
Mobile number can be extracted using
AAA.USER.ATTRIBUTE(1)
and can be included while sending it to the back-end server.
Sample second factor configuration
Using the following sample configuration, an OTP that is to be sent to the end user is generated.
add authentication Policy set_otp -rule true -action generate_otp
add authentication policylabel set_otp_label -loginSchema LSCHEMA_INT
bind authentication policylabel set_otp_label -policyName set_otp -priority 1
add authentication Policy cascade_noauth -rule true -action NO_AUTHN
<!--NeedCopy-->
Web authentication policy and action
Now, configure the web authentication action to send the OTP to any third party SMS sender along with the mobile number fetched from the LDAP policy.
Check the OTP and send the generated OTP to a third party SMS provider or any web server as configured below:
add policy expression otp_exp_post "\"Message: OTP is \" + $otp_store[AAA.USER.SESSIONID] + \" for login into secure access gateway. Valid till EXPIRE_TIME. Do not share the OTP with anyone for security reasons&Mobile:\" + AAA.USER.ATTRIBUTE(1)"
add authentication webAuthAction sms_post -serverIP <web_application_ip> -serverPort 80 -fullReqExpr q{"POST /MyPHP/auth.php HTTP/" + http.req.version.major + "." + http.req.version.major + "\r\nAccept:*/*\r\nHost: <web_application_ip> \r\nContent-Length:100\r\n\r\n" + otp_exp_post} -scheme http -successRule true
add authentication Policy post_wpp -rule true -action sms_post
<!--NeedCopy-->
Check the OTP
Add the following policy and policy label to check if the OTP exists for the user session:
add authentication policylabel check_otp_label -loginSchema LSCHEMA_INT
add authentication Policy check_otp -rule "$otp_store.valueExists(AAA.USER.SESSIONID)" -action NO_AUTHN
<!--NeedCopy-->
OTP verification by comparing the user-provided value and the OTP store value
Run the following commands to verify the OTP by comparing the user-provided value and the OTP store value:
add authentication loginSchema onlypassword -authenticationSchema "/nsconfig/loginschema/LoginSchema/OnlyPassword.xml"
add authentication policylabel otp_verify_label -loginSchema onlypassword
add authentication Policy otp_verify -rule "AAA.LOGIN.PASSWORD.EQ($otp_store[AAA.USER.SESSIONID])" -action NO_AUTHN
<!--NeedCopy-->
Bind the policy to the authentication policy label
bind authentication policylabel set_otp_label -policyName cascade_noauth -priority 2 -gotoPriorityExpression NEXT -nextFactor check_otp_label
bind authentication policylabel check_otp_label -policyName post_wpp -priority 1 -gotoPriorityExpression NEXT -nextFactor otp_verify_label
bind authentication policylabel otp_verify_label -policyName otp_verify -priority 1 -gotoPriorityExpression NEXT
<!--NeedCopy-->
Create an authentication virtual server and a load balancing virtual server
add authentication vserver avs SSL <ipadresss> 443
add ssl certKey aaa_local -cert aaatm_wild.cer -key aaatm_wild.key
bind ssl vserver avs -certkeyName aaa_local
bind authentication vserver avs -policy ldap_extraction_policy -priority 1 -nextFactor set_otp_label -gotoPriorityExpression NEXT
add lb vserver lb HTTP <ip_adresss> 80 -persistenceType NONE -cltTimeout 180 -AuthenticationHost <auth_server> -Authentication ON
add service svc <Ip_adresss> HTTP 80
bind lb vserver lb svc
<!--NeedCopy-->
Note:
The policy for cascading authentication is added to enable reliable and continuous authentication for the end users. If the current factor fails, the next factor is evaluated such that there is no impact on the user experience.