Configure SMS OTP for Web authentication

NetScaler can now be integrated with a third party SMS provider to provide an extra layer of authentication.

NetScaler appliance can be configured to send an OTP on the user’s mobile as a second factor of authentication. The appliance presents the user with a logon form to enter the OTP after successful AD login. It is only after the successful validation of SMS OTP authentication that the user is presented with the requested resource.

To achieve SMS OTP authentication, the NetScaler appliance relies on the following factors in the back end.

  1. Authenticate the user using LDAP authentication and extract the user’s mobile number.
  2. Create OTP and store it in the NS variable. Configuring and using variables.
  3. Send the OTP via WebAuth authentication method to the mobile number extracted from LDAP.
  4. Validate the OTP.


Enable features and add SNIP

Run the following commands to enable the features required for this configuration:

enable ns feature LB SSL SSLVPN AAA

add ns ip <SNIP-IP> <subnet mask> -type SNIP

Configure OTP store

Admins must set up a database/store to save OTPs used for SMS authentication.

The recommended configuration range for the expires parameter (OTP expiration) is 30 to 180 seconds. Any value outside this range might result in a failed SMS OTP configuration and nFactor flow.

add ns variable otp_store -type "map(text(65),text(6),100000)" -ifValueTooBig undef -ifNoValue undef -expires 60

Generate random OTP per user session

Use the following command to generate a 6-digit random OTP per user session and save it in the OTP store.

add ns assignment generate_otp -variable "$otp_store[AAA.USER.SESSIONID]" -set ("000000" + SYS.RANDOM.MUL(1000000).TYPECAST_UNSIGNED_LONG_AT.TYPECAST_TEXT_T).SUFFIX(6)

Configure SMS OTP authentication with NetScaler

  • Before you configure the SMS two factor authentication feature, you must have an LDAP authentication configured on a NetScaler appliance as first factor with authentication enabled. For instructions to configure LDAP authentication, see To configure LDAP authentication by using the configuration utility.

  • Configure LDAP and extract the mobile number to be used for SMS OTP authentication.

Sample first factor configuration

Configure LDAP as the first factor for authentication.

 add authentication ldapAction ldap_extraction_action -serverIP <IP_Adress> -ldapBase OU=Sanity,dc=aaa,dc=local  -ldapBindDn administrator@aaa.local -ldapBindDnPassword <password> -ldapLoginName samaccountname -groupAttrName memberof -subAttributeName CN -authentication disabled

 add authentication Policy ldap_extraction_policy -rule true -action ldap_extraction_action


Mobile number can be extracted using AAA.USER.ATTRIBUTE(1) and can be included while sending it to the back-end server.

Sample second factor configuration

Using the following sample configuration, an OTP that is to be sent to the end user is generated.

add authentication Policy set_otp -rule true -action generate_otp

add authentication policylabel set_otp_label -loginSchema LSCHEMA_INT

 bind authentication policylabel set_otp_label  -policyName set_otp -priority 1

add authentication Policy cascade_noauth -rule true -action NO_AUTHN

Web authentication policy and action

Now, configure the web authentication action to send the OTP to any third party SMS sender along with the mobile number fetched from the LDAP policy.

Check the OTP and send the generated OTP to a third party SMS provider or any web server as configured below:

add policy expression otp_exp_post "\"Message: OTP is \" + $otp_store[AAA.USER.SESSIONID] + \" for login into secure access  gateway. Valid till EXPIRE_TIME. Do not share the OTP with anyone for security reasons&Mobile:\" + AAA.USER.ATTRIBUTE(1)"

add authentication webAuthAction sms_post -serverIP <web_application_ip> -serverPort 80 -fullReqExpr q{"POST /MyPHP/auth.php HTTP/" + http.req.version.major + "." + http.req.version.major + "\r\nAccept:*/*\r\nHost: <web_application_ip> \r\nContent-Length:100\r\n\r\n" + otp_exp_post} -scheme http -successRule true

add authentication Policy post_wpp -rule true -action sms_post

Check the OTP

Add the following policy and policy label to check if the OTP exists for the user session:

add authentication policylabel check_otp_label -loginSchema LSCHEMA_INT

add authentication Policy check_otp -rule "$otp_store.valueExists(AAA.USER.SESSIONID)" -action NO_AUTHN

OTP verification by comparing the user-provided value and the OTP store value

Run the following commands to verify the OTP by comparing the user-provided value and the OTP store value:

add authentication loginSchema onlypassword -authenticationSchema "/nsconfig/loginschema/LoginSchema/OnlyPassword.xml"

add authentication policylabel otp_verify_label -loginSchema onlypassword

add authentication Policy otp_verify -rule "AAA.LOGIN.PASSWORD.EQ($otp_store[AAA.USER.SESSIONID])" -action NO_AUTHN

Bind the policy to the authentication policy label

bind authentication policylabel set_otp_label -policyName cascade_noauth -priority 2 -gotoPriorityExpression NEXT -nextFactor check_otp_label

bind authentication policylabel check_otp_label -policyName post_wpp -priority 1 -gotoPriorityExpression NEXT -nextFactor otp_verify_label

bind authentication policylabel otp_verify_label -policyName otp_verify -priority 1 -gotoPriorityExpression NEXT

Create an authentication virtual server and a load balancing virtual server

 add authentication vserver avs SSL <ipadresss> 443

add ssl certKey aaa_local -cert aaatm_wild.cer -key aaatm_wild.key

bind ssl vserver avs -certkeyName aaa_local

bind authentication vserver avs -policy ldap_extraction_policy -priority 1 -nextFactor set_otp_label -gotoPriorityExpression NEXT

add lb vserver lb HTTP <ip_adresss> 80 -persistenceType NONE -cltTimeout 180 -AuthenticationHost <auth_server> -Authentication ON

add service svc <Ip_adresss> HTTP 80

bind lb vserver lb svc


The policy for cascading authentication is added to enable reliable and continuous authentication for the end users. If the current factor fails, the next factor is evaluated such that there is no impact on the user experience.

Configure SMS OTP for Web authentication