For a minimal setup we need at least one server to run the SMSPassword service. This can be an existing server. You have to consider the port that the SMSPassword service uses. Port 1812 is for RADIUS traffic. If this port is currently in use on the server, you can choose to find another server. You could also configure RADIUS to use a different port.

For now we will assume you’ve chosen for an installation on a fresh new server;

Prepare a windows server;

-Create a (virtual) windows server (2008/2012/2016/2019) standard edition will be enough.

-Configure a fixed IP number

-Add the computer to the domain

-Disable the firewall/UAC

-Install .NET feature/framework 4.0 or better.

Step 1. Run setup.exe

Choose your destination folder, after installing;

Step 2. Run the configuration utility;

To begin, configure verbose logging. This’ll help you diagnose any problems during this initial phase. Don’t forget to disable this once configuration is done.

On the Radius tab, under Radius Client IP, enter your NetScaler NSIP address.

Make up a new password and enter it in the shared secret field. Make sure this password is saved in a place where other system administrators can find it. You will need this password later! You cannot recover the password from this tool, so it’s very important to save it somewhere. (KeePass etc.)

Step 3. On the Active Directory tab.

Fill in your full Domain DNS name (gourami.local). Leave the two other fields (Group, Phone number attribute) default: SMSPassword and mobile.

Step 4. Open Active Directory Users and Computers

Create a new group called ‘SMSPassword’.

Make it a global security group. Everyone who is going to use SMSPassword two-factor authentication has to be added to this group. Nesting is supported.

Make sure your test user has filled in the ‘mobile’ property and is member of the ‘SMSpassword’ group.

Step 5. Go back to the SMSPassword configuration tool.

Under the tab Configuration, under ‘SMS’, configure your SMS dispatcher mode.

5.1 SMSPassword A100 dispatcher

If you use the SMSPassword A100 SMS dispatcher, follow the included manual.

5.2 External SMS dispatcher mode

This can be an external dispatcher like BulkSMS or MessageBird. Enter the correct URL and fill in your account’s username and password. Send a test SMS to see if your configuration is correct.

Also make sure that you can reach the URL on the computer running SMSPassword. It might be necessary to open some firewall ports.

Save your settings by pressing the save config button. A file called smspassword.cfg is created in the same folder as the executable.

Step 6. Configure your NetScaler.

-Log on to your Citrix NetScaler, and go to ‘System’, ‘Authentication’, ‘Basic Policies’, and then ‘Radius’.

-Press ‘Add’ to add an authentication policy.

-In the Name field enter: smspassword_ap

-Next to server, press Add

-In the box ‘Create Authentication RADIUS Server’, type as name: smspassword

-In the IP address use your fixed IP address of the server running the SMSPassword service.

-Fill in the shared secret created in step 2. Twice…

-Press Test Connection: A green box should pop up saying everything is okay. If not, retrace your steps.

-The rest should be like this; Password encoding: Pap, port and timeout 1812 and 100. These should be default.

-Press Create

-Go back to the configure authentication Policy box,

-Under ‘Expression’, select the second drop down, go all the way down, and select the ‘ns_true’ value.

-Press create

-Bind you radius policy to your where you need it; for example your NetScaler Gateway Virtual Server;

Don’t forget to save your changes.

Step 7. Configure your firewall

If you have a firewall in your environment, you’ll need to open some ports:

-From the NetScaler to all servers running the SMSPassword service, port 1812 has to be open for radius traffic. Unless you have chosen to run the Radius service on a different port.

-The computer running the SMSPassword service should be able to contact your SMS dispatcher service.

2 – Load balanced setup with NetScaler

When setting up a load balanced configuration you need to remember a lot of IP addresses. To make things easier for you, we created a network drawing. Below you find a filled in example. In this manual we are going to use the IP addresses as shown in the drawing below.

smspassword-visio technical design redudant detial_filled in IP.png

Filled in example network drawing

It’s highly recommended that you fill in the empty network drawing before you start configuring everything. This will give you a good idea of what you are doing, and makes configuring a redundant SMSPassword setup even easier. Below you find the empty network drawing. Print this out, and fill in the green fields.

smspassword-visio technical design redudant detial_fill in IP.png

Template network drawing, print out and fill in

Things to consider before starting:

Load balancing Radius is supported from NetScaler 9.2 and higher.
In this tutorial we assume that everything is in one open network. Most production environments are not. Please, consider firewalls and subnets in your setup. Ask your network manager.
Ensure the load balancing feature is enabled in NetScaler;

To enable load balancing by using the NetScaler management interface

In the configuration pane, expand System, and then click Settings.
In the settings screen, under Modes and Features, click Configure Basic Features.
In the Configure Basic Features screen, select the Load Balancing check box, and then click OK.

Step 1 Setting up the A100 SMS dispatchers

Configure the two A100 SMS dispatchers as described in the separate manual. It’s recommended that you use a small sticker, and write ‘SMSPassword dispatcher A’ on the device designated as NodeA, and write ‘SMSPassword dispatcher B’ on the device designated as NodeB.

Fill in the correct time zone for each SMS dispatcher.

SMSPassword dispatcher A:

Network Configuration, IP Address: 192.168.2.107
Fill in the correct subnet mask
Enter the correct time zone, Preference, Time Zone
Choose you reboot time different from the other dispatchers
We use 192.168.2.131 as SMS server. This is the server running the actual SMSPassword service
As SMS server port we use 44444
Client ID is 11
We used ‘sms’ as password

SMSPassword dispatcher B:

Is given IP adress 192.168.2.108
Fill in the correct subnet mask
Enter the correct time zone, Preference, Time Zone
Choose you reboot time different from the other dispatchers
We use 192.168.2.132 as SMS server. This is the server running the actual SMSPassword service.
As SMS server port we use 44444
Client ID is 11
We used ‘sms’ as password.

As described in the A100 manual, test to see if you can send SMS messages from both nodes.

Step 2 Installing the SMSPassword servers

Find two servers that meet the requirements for SMSPassword. These can be two existing servers. For example, the Storefront servers. Make sure that your RADIUS port (1812 by default) is not already in use. In this example we used new servers so there is no chance of a port conflict.

Configure the servers to have static IP addresses:

For SMSPassword NodeA: 192.168.2.131

For SMSPassword NodeB: 192.168.2.132

The windows firewall can block ports; in our configuration example we completely disabled the windows firewall. You can also open the ports you need (default is 1812).

Make sure you can reach the SMS A100 dispatcher from every node.

From the SMSPassword NodeA server you should: ping 192.168.2.107

From the SMSPassword NodeB server you should: ping 192.168.2.108

Make sure you join each of the servers to the domain.

Step 3 Installing the SMSPassword service

Install the software and run the configuration utility;

Both nodes should configure the NetScaler subnet IP as radius client. By default, NetScaler uses the NSIP to communicate with Radius. However when you use a load balancing virtual server, NetScaler uses the SNIP as the Radius client IP.

In this example we are going to use a load balancing virtual server, so fill in the NetScaler subnet IP as the Radius Client IP:

In this example, we use ‘sms’ as Radius Shared Secret. You are free to use any password you like. Please make sure you document it for future use. Also, make sure to configure the same Radius Shared Secret in the NetScaler, in your Radius connector.

You should configure the same Active Directory information on both nodes:

It’s best practice to use the same setting for the one-time password on both nodes.

On SMSPassword NodeA service we are going to configure the SMS device like so:

Consult the network drawing; SMSPassword NodeA is using SMS dispatcher A. So, for this node, we are going to use the SMS dispatcher 192.168.2.107. In our example it sends using UDP port 44444. And, for this test we used ‘sms’ as password.

It’s recommended to send a test SMS. Please consider the notation of the number. Some network operators expect a full international number.

On SMSPassword NodeB service we are going to configure the SMS device like so:

Consult the network drawing; SMSPassword NodeB is using SMS dispatcher B. So, for this node, we are going to use the SMS dispatcher 192.168.2.108. In our example it sends using UDP port 44444. And, for this test we used ‘sms’ as password.

It’s recommended to send a test SMS. Please consider the notation of the number. Some network operators expect a full international number.

When you are done configuring both the SMSPassword nodes, make sure you install and start the service on both nodes.

Step 4 Configure the NetScaler

Please notice that radius load balancing is supported from NetScaler 9.2 and higher.

Make sure you have enabled the load balancing feature of the NetScaler.

The first thing to do is to add the two SMSPassword servers in the NetScaler. Under configuration, go to Traffic Management → Load Balancing → Servers. Add our two SMSPassword servers with the IP addresses chosen earlier, as shown in the picture below.

Save the configuration.

Make sure you can reach both of the SMSPassword servers from the NetScaler, by pinging them from the commandline of the NetScaler. If happens often that firewalls block this because the NetScalers are often in a DMZ.

Create a custom monitor, go to Traffic Management → Load Balancing → Monitors, and click Add. Name the monitor SMSPassword_RadiusMonitor as shown below.

! Some users reported better results when using a 10 second interval, with a response time-out of 6 seconds.

As username fill in: smspasswordmonitor

(this has match exactly and thus lower case!)

Password: smspasswordpassword

Radius key: in this example we use ‘sms’, but you should use your own Radius Shared Secret.

In the Response Codes section, type 3, and hit the plus sign.

3 stands for access-reject responses.

Press create to create the monitor.

Add a Load Balancing Virtual Server

Go to Traffic Management, Virtual Servers and select ‘add’.

As name use SMSPassword_LB_VS

As IP address use 192.168.2.213 (see network drawing)

Press OK.

Under Services and Service Groups click on No Load Balancing Virtual Server ServiceGroup Binding and click on Add.

Name: SMSPassword_SG

Protocol: Radius

Press OK.

Click on No Service Group Member, followed by Server Based, and Add and select both Nodes from the list.

Under Port, fill in port ‘1812’, and press Create.

Under Advanced Settings press the plus sign on the Monitors setting, and bind the SMSPassword_RadiusMonitor we created earlier.

Press Done. And if required, bind the new Service Group we just created by selecting it and pressing Bind and then Close. Don’t forget to save the running configuration so far.

Under Advanced Settings on the right, click on Method and select the ROUNDROBIN option

Now add the setting Persistence from the Advanced Settings, and configure it as follows:

Persistence: Rule

Timeout: 5

Expression: CLIENT.UDP.RADIUS.USERNAME

Press OK.

You can test the monitor by stopping the SMSPassword service on one of the nodes, and check to see if it shows as down in the NetScaler. If the member state doesn’t show as ‘up’/green, check the firewall.

Add the radius server;

Go to System → Authentication → Basic Policies → RADIUS, and select the servers tab. Add a radius server.

As name use SMSPassword_LBVS_Radius

IPadress: 192.168.2.213

Port: 1812

Secret key (Radius Shared Secret): ‘sms’

Confirm secret key(Radius Shared Secret): ‘sms’

Password encoding: pap

Timeout: 300

Accounting: OFF

Add the radius authentication policy:

Go to System → Authentication → Basic Policies → RADIUS, and select the Policies tab. Add an authentication policy.

Use as name: SMSPassword_Radius_AuthPol

Select as type: Radius

Server: Select the SMSPassword_Radius_LBVS

Add as expression: ns_true

Press create (ignore the warning). Save the NetScaler config.

Now go to your NetScaler Gateway virtual server under ‘NetScaler Gateway’, ‘Virtual Servers’. Open your gateway virtual server, under ‘Basic Authentication’, select the current authentication policy (likely LDAP). Click on ‘Add binding’, select the RADIUS policy and click ‘Bind’. Now, unbind the previous policy, so that the Radius policy is the only policy active, and click ‘Close’.

Save your configuration.

Test your configuration by logging on to your NetScaler.

General Disclaimer and Copyright Notice

Disclaimer

Whilst every care has been taken by SMSPassword Software to ensure that the information contained in this document is correct and complete, it is possible that this is not the case. SMSPassword Software provides the information “as is”, without any warranty for its soundness, suitability for a different purpose or otherwise. To the maximum extent permitted by applicable law, SMSPassword Software is not liable for any damage which has occurred or may occur as a result of or in any respect related to the use of this information. SMSPassword Software may change or terminate this document at any time without further notice and shall not be responsible for any consequence(s) arising therefrom. Subject to this disclaimer, SMSPassword is not responsible for any contributions by third parties to this information.

Copyright Notice

Copyright © on software and all Materials 1998-2015 SMSPassword Software. SMSPassword and the SMSPassword Logo are either registered trademarks or service marks of SMSPassword in Europe, the United States and other countries. All other product and company names mentioned may be trademarks and/or service marks of their respective owners.

Citrix Netscaler 12.1 Manual

1 A quick installation guide with Citrix NetScaler

Step 1. Run setup.exe

Step 2. Run the configuration utility;

Step 3. On the Active Directory tab.

Step 4. Open Active Directory Users and Computers

Step 5. Go back to the SMSPassword configuration tool.

5.1 SMSPassword A100 dispatcher

5.2 External SMS dispatcher mode

Step 6. Configure your NetScaler.

Step 7. Configure your firewall

2 – Load balanced setup with NetScaler

Things to consider before starting:

To enable load balancing by using the NetScaler management interface

Step 1 Setting up the A100 SMS dispatchers

Step 2 Installing the SMSPassword servers

Step 3 Installing the SMSPassword service

Step 4 Configure the NetScaler

General Disclaimer and Copyright Notice

Disclaimer

Copyright Notice