nFactor authentication provides administrators with an easy and flexible way to authenticate users based on different types of user access credentials provided or application requirements.
In this paper we will describe the following common use case for authentication nFactor:
1. The user will have access to the authentication vServer.
2. The user is prompted to provide the certificate for certificate as a first factor based authentication. You will see a pop-up window in the browser, which it calls a user certificate installed in the browser to choose which looks similar to this:
3. The user is authenticated certificate based authentication policy as the first factor configured.
4. If step 3 is successful, then his username from the certificate is extracted, and it should indicate their password only for the second factor as LDAP authentication:
5. If step 3 fails, the user should provide the user name / password for LDAP as the first factor and the password code for radius authentication as a second factor:
the logical flow of the authentication process is described here:
Detailed flow nFactor authentication for this case
configuration steps
[betestedconfiguration steps in NetScaler firmware release 11.0 to 64.
1. Creating load balancing vServer
Add lb vserver mail.demoex.local SSL 192.168.100.65 443 -persistenceType NONE -cltTimeout 180 -AuthenticationHost form.demoex.local -Authentication ON -authnVsName form.demoex.local
or via GUI:
NetScaler -> Traffic management -> load Balancing -> Virtual Server -> Add
2. Creating AAA authentication TM vServer
Add authentication vserver form.demoex.local SSL 192.168.100.64 443 -AuthenticationDomain form.demoex.local
or via GUI:
NetScaler -> Security -> AAA - Application Traffic -> Virtual Server -> Add
3. configuration of the extended certificate authentication policy
Add authentication certAction Cert_Auth_Profile -twoFactor ON -userNameField Subject: CN
Add authentication policy CERT AD Exch2016 rule HTTP.REQ.IS_VALID -action Cert_Auth_Profile
Or via GUI:
NetScaler -> Security -> AAA - Application Traffic -> Policies -> authentication -> basic Policies -> CERT -> profiles -> Add
NetScaler -> Security -> AAA - Application Traffic -> Policies -> authentication -> Advanced Policies -> Policies -> Add
. 4 LDAP authentication policy
Add authentication ldapAction DC Exch2016 -serverIP 10.0.0.36 -ldapBase "DC = demoex, DC = local" -ldapBindDn "CN = Administrator, CN = Users, DC = demoex, DC = local "-ldapBindDnPassword c7c671fc3d36e3d653d7aa67a264639375d65f963ad78d22f5aab05f596673c4 encrypted -encryptmethod ENCMTHD_3 -ldapLoginName sAMAccountName -groupAttrName memberOf -subAttributeName cn -ssoNameAttribute userprincipalname
Add authentication policies LDAP AD Exch2016 rule HTTP.REQ.IS_VALID -action DC Exch2016
Or via GUI:
NetScaler -> Security -> AAA - Application Traffic -> Policies -> authentication -> basic Policies -> LDAP -> Server -> Add
NetScaler -> Security -> AAA - Application Traffic -> Policies -> authentication -> Advanced Policies -> Policies -> Add
5 . radius authentication policy
Addauthentication radius action Radius_NPS_2016 -serverName win2012exch2016.demomuc.local -serverPort 1812 -radKey cb59e3dffcdfef420c045295e7cb0a78598a2b49f1d5b1b6334a84efe12b8c1d encrypted -encryptmethod ENCMTHD_3 accounting with ON
Add authentication policies NPS AD Exch2016 - rule HTTP.REQ.IS_VALID -action Radius_NPS_2016
Or via GUI:
NetScaler -> Security -> AAA - Application Traffic -> Policies -> authentication -> basic Policies -> RADIUS - > Servers -> Add
NetScaler -> Security -> AAA - Application Traffic -> Policies -> authentication -> Advanced Policies -> Policies -> Add
6. Sign scheme for "password only" authentication policy
this login scheme the user had already provided his certificate and we had extracted his username from this certificate. So we have been given only a field for entering a password and a user name by static expression username from the certificate authentication extracted show - "HTTP.REQ.USER.NAME"
Add authentication login schematic Cert_Check_1Factor -authenticationSchema login_cert_check_new .. xml - user expression HTTP.REQ.USER.NAME
Add authentication policy label Cert_Check_1Factor -loginSchema Cert_Check_1Factor
bind-identification policy label Cert_Check_1Factor -PolicyName LDAP AD Exch2016 -priority 100 -gotoPriorityExpression NEXT
Or via GUI:
NetScaler -> Security -> AAA - Application Traffic -> Login schema -> profiles -> Add
NetScaler - > Security -> AAA - Application Traffic -> Policies -> authentication -> Advanced Policies -> Policies label -> Add
7. Log scheme for "2- factor authentication "
this login scheme we ask users to provide their user name, password, and pass phrase on a page available. We have to also notify the user that his certification authentication failed.
Add authentication login schematic Cert_Failed_2Factor -authenticationSchema login 2passwd.xml
Add authentication policy label Cert_Failed_2Factor -loginSchema Cert_Failed_2Factor
bind authentication policy label Cert_Failed_2Factor -PolicyName LDAP AD Exch2016 -priority 100 -gotoPriorityExpression NEXT
Or via GUI:
NetScaler -> Security -> AAA - Application Traffic -> Login schema -> profiles -> In
NetScaler -> Security -> AAA - Application Traffic -> Policies -> authentication -> Advanced Policies -> Policies label -> Add
8. Log scheme "noschema" asked for the re-use of credentials to
in this case, we want to access data already provided user to "re-use" and not by the user ask passcode typing, etc. So we use in scheme "noschema" constructed in this case.
Add authentication login schematic Radius_Noschema -authenticationSchema noschema
Add authentication policy label Radius_2Factor_Noschema -loginSchema Radius_Noschema
bind-identification policy label Radius_2Factor_Noschema -PolicyName NPS AD Exch2016 -priority 100 -gotoPriorityExpression NEXT
Or via GUI:
NetScaler -> Security -> AAA - Application Traffic -> Login schema -> profiles -> Add
NetScaler -> Security -> AAA - Application Traffic -> Policies -> authentication -> Advanced Policies -> Policies label -> Add
9. The bond advanced authentication guidelines
in this case, the certification policy is the user to authenticate and, if successful, use second factor with policy label on LDAP authentication shows. In case of failure certification policy, less priority LDAP authentication authenticates users, followed by the second factor -. Radius authentication
bind authentication vserver form.demoex.local -policy CERT AD Exch2016 -priority 100 -nextFactor Cert_Check_1Factor -gotoPriorityExpression NEXT
bind-identification vserver form.demoex.local - policy LDAP AD Exch2016 -priority 110 -nextFactor Radius_2Factor_Noschema -gotoPriorityExpression NEXT
Or via GUI:
NetScaler -> Security -> AAA - Application Traffic -> Virtual Server -> vServer name -> Edit -> Advanced authentication Policies
10. configuring the certificate authentication requirements
We should enable SSL client authentication with optional or mandatory client certificate request, CERT authentication works make. It is very important to ensure that the user account in Active Directory located in OU. If an account is in default class name ( "CN = Users"), it could lead to a failure in extracting usernames provided certificate despite successful certificate authentication
set ssl vserver form.demoex.local. - ClientAuth RELEASED -clientCert Optional
Or via GUI:
NetScaler -> Security -> AAA - Application Traffic -> Virtual Server -> vServer Name -> Edit -> SSL parameters
11. the binding registration scheme to AAA authentication vServer
Upon successful CERT authentication of the user, policy label shows "password only" entry form "login_cert_check_new. xml ", and this will be the first page that the user see after selecting the correct user certificate. But in case of CERT authentication errors, we want to see him authentication page with 2-factor credentials "login-2passwd.xml" form. To make it a standard authentication page, we tie this login scheme to AAA authentication vServer.
bind authentication vserver form.demoex.local -policy Cert_Failed_2Factor -priority 123 -gotoPriorityExpression END
or via the GUI
NetScaler -> Security -> AAA - Application- Traffic -> Virtual Server -> vServer name -> Edit -> Login schemes -> Add
use of XML application forms
the great advantage nFactor authentication to use with advanced authentication policies, is to adapt the capacity authentication forms. We can supply the user with customizable messages, use warnings or reusing already provided user credentials XML pages. In this case, we had two XML pages used: "login_cert_check_new.xml" and "login 2passwd.xml"
"login_cert_check_new.xml" - this site is used by the certificate authentication, and provides the user with the following Services. : Notify him that the authentication was successful, provides him with extracted username and demands for password entry.
"login-2passwd .xml "- this page is, if the certificate authentication error used and provides the user with two services: notify him that the certificate authentication was unsuccessful, giving it the form of username, password and access code input. The password is stored in the variable "passwd" and is used for the first factor LDAP authentication. Passcode is "passwd1" stored in the variable that is used by default for the second factor with noschema Login schema and Radius authentication.
[1945050Kennwort]
[1945050plain]
0 Komentar