Hardware tokens for Native OTP Authentication with NetScaler

Citrix NetScaler One Time Password (OTP) feature is introduced with NetScaler 12.0 FR1. This feature offers OTP authentication capabilities without having to use a third party server. In addition, it consolidates configuration within the NetScaler, thus offering great control to administrators.

Native OTP, being a great feature, still has some disadvantages:
  • The OTP profiles can only be used for Netscaler connected services (so you cannot use this as a second-factor authentication source for a third party system, such as client VPN etc.
  • The secret hashes generated by Native OTP is quite short (16 base32 chars), which is theoretically less secure than the 32 chars keys of classic OATH TOTP tokens
  • For the same reason, Native OTP cannot benefit from classic hardware tokens (there are no OATH tokens with 16 char long keys available on the market), so it can only be used with software tokens or programmable tokens as described in this guide
  • To address the issues above, we recommend using our TOTPRadius solution, which has a standard RADIUS interface and a self-enrollment API which allow easy integration with both Netscaler and Storefront. TOTPRadius allows using any type of tokens (software tokens, programmable or classic hardware tokens) and can be used as an authentication source for any other system supporting RADIUS authentication protocol

This guide describes the user interface flow for enabling Token2 programmable tokens with the Native OTP capability already activated. Native OTP configuration procedures are described here.

Navigating to ManageOTP URL e.g., https://otpauth.server.com/manageotp (alternatively, you can use https://alt.server.com if you have configured host-based management page), we will be presented with initial logon page that only requires ldap logon credential:

Hardware tokens for Native OTP Authentication with NetScaler

After login with a valid credential, we will see the manage device page as follow:

Hardware tokens for Native OTP Authentication with NetScaler

After click ‘+’, type in the device name, click ‘go’, and click ‘done’, we will see a QR code generated. This indicates the device has been registered:

Hardware tokens for Native OTP Authentication with NetScaler

Now, launch Token2 Burner App on your Android device.

Note! You need an NFC-enabled Android device for the enrollment process only. Subsequent logins will utilize only the programmable token itself
Click on Scan QR button and scan the QR code shown on the configuration page as described in the previous step. Then, push the button on the token device and hold it close to the NFC antenna of your Android device (usually below the camera on the back). Click on "burn seed" button. The app should show "burn seed process succeeded" message if the process is successfully completed.

An OTP generated by your token can be entered to test the newly registered device. 

Volume Orders
For large orders, Token2 offers volume discounts.If you are interested in larger volume orders, please contact us and we will get back with a quote immediately