Solved: DUO configuration errors - Citrix ADC Netscaler version 13.1 Build 24.38

am_cumc · ‎07-13-2022

Hello Everyone,

We currently have DUO enabled on a Citrix Netscaler (version NS13.0: Build 58.32) and all is running well.

When we attempt to upgrade the Netscaler to version 13.1 Build 24.38 (released on 06/07/22), we receive the following errors related to DUO:

The following configuration lines will get errors in 13.1 and both they and dependent configuration will be removed from the configuration:

add rewrite action rw_act_insert_var_DUO_ENABLED insert_before_all “HTTP.RES.BODY(120000).SET_TEXT_MODE(IGNORECASE)” “"var DUO_ENABLED = true;"” -pattern “if (pwc ==2”

add rewrite action rw_act_insert_DUO_ENABLED insert_after_all “HTTP.RES.BODY(120000).SET_TEXT_MODE(IGNORECASE)” “" && !DUO_ENABLED"” -pattern “if (pwc ==2”

We verified that the configuration lines above are the exact lines mentioned in the DUO Netscaler configuration doc. All is running well using that configuration on Netscaler version 13.0.

Do these lines need to be rewritten/reformated for compatibility with Netscaler 13.1 Build 24.38? Or any other suggestions regarding these errors?

We are unable to upgrade until the rewrite policy commands are formatted properly.

Thank you,

AM

omoyano · ‎01-24-2023

I found something!

If in the configuration proxy DUO file I have:

[radius_server_iframe]
type=citrix_netscaler_rfwebui ==>Blank screen nothing happen

BUT with

type=citrix_netscaler ==> I have the DUO prompt but after confirm I have this error

View solution in original post

jenrj · ‎07-14-2022

Hi @am_cumc, welcome to the Duo Community!

Since you have questions about specific error messages and already tried using the Duo Docs on Netscaler configuration, I recommend that you contact Duo Support. They can give you guidance on how to resolve those error messages and any additional information on Duo and Netscaler based on compatibility.

Hope this helps! For future reference, you can also read How to contact support and get help for Duo for more tips on getting support from Duo.

TabBerger · ‎07-15-2022

Good morning @am_cumc , glad to have you with us! In addition to @jenrj suggestion about contacting Support, I wanted to also mention that we recommend nfactor for firmwares 12.1-51.16 or later, which does not require you to rewrite any rules for compatibility. You can learn more in our Duo for Citrix Gateway: nFactor Instructions | Duo Security

Have a wonderful day!

omoyano · ‎01-20-2023

Hello,
I have some issues to configure Duo with my Netscaler 12.1.65 Standard.
I want to do Ldap primary auth and radius secondary(to my proxy duo authentication proxy). Is the right configuration?
With [ad_client] and [radius_server_iframe] ?

I configure the netscaler with this info:

Why I need to configure two Radius Primary?
When I configure the expression the system say’s me that the function is deprecated

In my storefront I need to chang auth to Domain and security token.?

Some updates. I can login use DUO but I have this error:

Same error with another user not present in duo. It’s a maybe error to contact ldap?

If I try username and random password I have the normal error:

I have another Virtual Server Gateway in production (without DUO) and all works fine.

Can someone help my? I don’t find any Duo step by step that works…

Thanks

DuoKristina · ‎01-23-2023

Hi @omoyano,

If you want to configure separate LDAP primary and RADIUS secondary you should follow these instructions instead of the page you linked (which is for radius primary + secondary).

Regarding the first image, Citrix has started deprecation of basic auth policies. If you want to try Duo using advanced policies those instructions are here: Duo for Citrix Gateway: nFactor Instructions | Duo Security

Regarding the login failure, you may want to enable debug logging on the NetScaler and on the Duo proxy server, try to reproduce the issue, and then look at the output for an idea of what is happening. Here’s an article that explains different error scenarios seen at the Duo Authentication Proxy.

Duo, not DUO.

omoyano · ‎01-23-2023

Thanks a lot for your reply @DuoKristina

I configured all with the intructions:

Duo Proxy as duo_only_client
Add two radius secondary

Now I have only the login failure .

The step by step says:

"Before integrating with Duo, make sure your Citrix Gateway has a working Virtual Server with your preferred primary factor."

What does it mean?I need to add an LDAP as primary and after the two secondary radius?
With this conf (added my ldap server like primary)

(tested and can login but anything appear)

I need to add another virtual server with my ldap? Configure session policies? anything else?

Thanks again

DuoKristina · ‎01-24-2023

^ This seems totally wrong. You wouldn’t want no primary authentication policy in place and only secondary policies. With ^ config there is nothing to validate a user’s primary credential, so of course the login fails. This is not in our instructions.

This just means that you should already have your NetScaler virtual server login working with some form of primary authentication before you add Duo for secondary auth - that is, you are starting from a “known-good” working config without 2FA.

Yes.

^ This is a correct policy structure to have your LDAP server verify username and password and then proceed to Duo auth for 2FA.

The blank screen is where the Duo iframe prompt should appear. If it does not…

take a look at your web browser’s developer tools and view the console tab while you try to log in. are there any console errors thrown?
double-check your expressions to make sure that browser user agents are directed correctly to the RADIUS policy/auth server representing the Duo radius_server_iframe config
double-check your rewrite policy. Are you on 13.1 firmware? If so, try following the steps shown here for hiding the second password field: Remove "Password 2" from RfWebUI - Xenit
use the browser’s developer tools Network tab to try to collect a HAR file and examine it for the Duo prompt loading.

You might want to contact Duo Support if you need assistance with any of those steps. It is beyond a typical community discussion.

Duo, not DUO.

omoyano · ‎01-24-2023

I check all this but I have firmware 12.1

I tried to contact Duo support but they say’s me to contact Citrix support…

Not, not is a issue with citrix. I already have a citrix configuration in production that works perfectly(without DUO) and now I want to incorporate Duo and I’m trying a lot de “step by step” but nothing works for the moment…

DuoKristina · ‎01-24-2023

At what point did you contact Duo Support?

Your issue’s current status (primary auth working; blank page where Duo prompt should load) is definitely something Duo Support should be able to assist with troubleshooting.

If you had contacted them prior to having working primary LDAP authentication I understand why they may have referred you to Citrix Support.

You should be able to respond to the email from Duo Support to reopen the case with your current configuration status.

Duo, not DUO.

omoyano · ‎01-24-2023

I found something!

If in the configuration proxy DUO file I have:

[radius_server_iframe]
type=citrix_netscaler_rfwebui ==>Blank screen nothing happen

BUT with

type=citrix_netscaler ==> I have the DUO prompt but after confirm I have this error

DuoKristina · ‎01-24-2023

OK, yes, if you are not actually using the Citrix RFWebUI theme then there would be issues if the Duo RADIUS config was set to type=citrix_netscaler_rfwebui . type=citrix_netscaler is appropriate for the Caxton, Green Bubbles, and X1 Citrix themes.

The messaging you see after approving the Duo login request are unrelated to Duo. Once you pass Duo 2FA it no longer is involved. Those are messages from the Citrix Gateway itself and are beyond Duo’s scope.

It looks like you have your Citrix Gateway configured to launch the Java plugin but your browser/machine doesn’t have the Java runtime installed or enabled. I searched that error message and found this:

Duo, not DUO.