NetScaler Gateway 11 RADIUS Authentication

Last Modified: Jul 10, 2016 @ 2:07 pm


RADIUS Overview

For two-factor authentication using Azure Multi-factor Authentication, see Jason Samuel How to deploy Microsoft Azure MFA & AD Connect with Citrix NetScaler Gateway

Citrix CTX125364 How to Configure Dual Authentication on NetScaler Gateway Enterprise Edition for Use with iPhone and iPad.

Some two-factor products (e.g. SMS Passcode) require you to hide the 2nd password field. Receiver 4.4 and newer supports hiding the 2nd field if you configure a Meta tag in index.html. See CTX205907 Dual-Password Field Shows in First Authentication When Connecting to NetScaler Gateway from Windows Receiver for instructions. 💡

Two-factor authentication to NetScaler Gateway requires the RADIUS protocol to be enabled on the two-factor authentication product.

On your RADIUS servers you’ll need to add the NetScaler appliances as RADIUS Clients. When NetScaler uses a local (same appliance) load balanced Virtual Server for RADIUS authentication, the traffic is sourced from the NetScaler SNIP (Subnet IP). When NetScaler uses a direct connection to a RADIUS Server without going through a load balancing Virtual Server, or uses a remote (different appliance) Load Balancing Virtual Server, the traffic is sourced from the NetScaler NSIP (NetScaler IP). Use the correct IP(s) when adding the appliances as RADIUS Clients. And adjust firewall rules accordingly.

For High Availability pairs, if you locally load balance RADIUS, then you only need to add the SNIP as a RADIUS Client since the SNIP floats between the two appliances. However, if you are not locally load balancing RADIUS then you’ll need to add the NSIP of both appliances as RADIUS Clients. Use the same RADIUS Secret for both appliances.

Two-factor Policies Summary

When configuring the NetScaler Gateway Virtual Server, you can specify both a Primary authentication policy and a Secondary authentication policy. Users are required to successfully authenticate against both before being authorized for NetScaler Gateway.

For browser-based StoreFront, you need two authentication policies:

  • Primary = LDAPS authentication policy pointing to Active Directory Domain Controllers.
  • Secondary = RADIUS authentication policy pointing to RSA servers with RADIUS enabled.

For Receiver Self-service (native Receiver on mobile, Windows, and Mac), the authentication policies are swapped:

  • Primary = RADIUS authentication policy pointing to RSA servers with RADIUS enabled.
  • Secondary = LDAPS authentication policy pointing to Active Directory Domain Controllers.

If you need to support two-factor authentication from both web browsers and Receiver Self-Service, then you’ll need at least four authentication policies as shown below.


  • Priority 90 = RADIUS policy. Expression = REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver
  • Priority 100 = LDAP policy. Expression = REQ.HTTP.HEADER User-Agent NOTCONTAINS CitrixReceiver


  • Priority 90 = LDAP policy. Expression = REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver
  • Priority 100 = RADIUS policy. Expression = REQ.HTTP.HEADER User-Agent NOTCONTAINS CitrixReceiver

Create Two-factor Policies

Do the following to create the Two-factor policies:

  1. Create an LDAP server.
  2. For RADIUS, on the left, expand Authentication, and click Dashboard.
  3. On the right, click Add.
  4. Change Choose Server Type to RADIUS.
  5. Give the server a name.
  6. Specify the IP address of the RADIUS load balancing Virtual Server.
  7. Enter the secret key specified when you added the NetScalers as RADIUS clients on the RADIUS server. Click Create.

    add authentication radiusAction RSA -serverIP -serverPort 1812 -radKey Passw0rd
  8. Since you can’t create authentication policies from the authentication dashboard, go to NetScaler Gateway > Policies > Authentication > RADIUS.
  9. On the right, in the Policies tab, click Add.
  10. Name it RSA-SelfService or similar.
  11. Select the RADIUS server created earlier.
  12. Enter an expression. You will need two policies with different expressions. The expression for Receiver Self-Service is HTTP.HEADER User-Agent CONTAINS CitrixReceiver.
  13. Click Create.

    add authentication radiusPolicy RSA-Web "REQ.HTTP.HEADER User-Agent NOTCONTAINS CitrixReceiver" RSA
    add authentication radiusPolicy RSA-SelfService "REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver" RSA
    add authentication ldapPolicy Corp-Gateway-Web "REQ.HTTP.HEADER User-Agent NOTCONTAINS CitrixReceiver" Corp-Gateway
    add authentication ldapPolicy Corp-Gateway-SelfService "REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver" Corp-Gateway
  14. Create another policy to match the ones shown below. Both RADIUS policies are configured with the same RADIUS server. The only difference between them is the expression (CONTAINS vs NOTCONTAINS):
    Name Expression Server
    RSA-SelfService REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver RSA

  15. Go to the NetScaler Gateway\Policies\Authentication\LDAP node.
  16. On the Policies tab, create two policies with the expressions shown below. Both LDAP policies are configured with the same LDAP server. The only difference between them is the expression (CONTAINS vs NOTCONTAINS).
    Name Expression Server
    LDAP-Corp-SelfService REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver LDAP-Corp
    LDAP-Corp-Web REQ.HTTP.HEADER User-Agent NOTCONTAINS CitrixReceiver LDAP-Corp

Bind Two-factor Policies to Gateway

  1. When you create the NetScaler Gateway Virtual Server, bind the policies as shown in the following table. Priority doesn’t matter because they are mutually exclusive.
    Policy Name Type Bind Point
    LDAP-Corp-Web LDAP Primary
    RSA-SelfService RADIUS Primary
    LDAP-Corp-SelfService LDAP Secondary
    RSA-Web RADIUS Secondary

    bind vpn vserver -policy Corp-Gateway-Web -priority 100
    bind vpn vserver -policy RSA-SelfService -priority 110
    bind vpn vserver -policy RSA-Web -priority 100 -secondary
    bind vpn vserver -policy Corp-Gateway-SelfService -priority 110 -secondary
  2. The session policy/profile for Receiver Self-Service needs to be adjusted to indicate which authentication field contains the Active Directory password. In the Session Profile, on the Client Experience tab is Credential Index. This needs to be changed to SECONDARY. Leave the session policy for Web Browsers set to Primary.

    set vpn sessionAction "Receiver Self-Service" -ssoCredential SECONDARY
  3. On the StoreFront server, when creating the NetScaler Gateway object, change the Logon type to Domain and security token.

Email this to someonePrint this pageTweet about this on TwitterShare on LinkedInShare on FacebookPin on PinterestShare on RedditShare on StumbleUpon

19 thoughts on “NetScaler Gateway 11 RADIUS Authentication”

  1. Hi Carl,

    thank you for your help regarding the pwcount cookie!
    The authentication works now fine with SMS-Passcode.

    However, I need to set the flags Secure and HttpOnly to this cookie. I did that within the rewrite action that sets pwcount=+1 and that pwcount cookie works fine.
    Unfortunately there is a second pwcount cookie and this one is set with the value 2 and only the Secure flag.
    If I understand it right it shouldn’t be needed to be read at the client side but I’m not absolutely sure about that.
    But if I’m right, is there a way to force that cookie to also set the HttpOnly flag?

      1. Therefore that script (login.js) is executed then along some other java scripts on the client side, right?
        I wasn’t sure about that. Thank you for pointing that out.
        And at least one other java script (js/tmindex_view.js) seems to read the second pwcount cookie and that is why it cannot have the HttpOnly flag set, because with that flag script access to the cookie is prevented.
        I’m just pointing that out because it might be possible that someone else stumbles over this.
        I’m just saying PCI-DSS Compliance…:)
        It would be nice if you could confirm this explanation.
        But anyway, thank you for helping me out a second time!

        Something different about two factor authentication with SMS-Passcode:
        As I understand it corrects the workaround 1 of a bit. Have a look on the putty screenshot on CTX205907 compared to point 3 of workaround 1.
        However, it is not told there that the modified index.html gets overwritten with the the original index.html on every reboot of the Netscaler, therefore making workaround 1 pretty useless.
        I suggest to have a closer look at workaround 2 or maybe workaround 3 on CTX203775.
        I have finally implemented workaround 2 which seems to be the most elegant solution, making also adding the rewrite action and policy for the first pwcount cookie (pwcount=+1) obsolete.
        Workaround 3 is the better solution compared to workaround 1, because the rewrite policy edits the index.html on the fly when a client requests it. That makes it unnecessary to edit the original index.html and is therefore a solution that survives a reboot of the Netscaler.
        Maybe you want to point that out a bit better on the RADIUS Overview section of your blog post.

        1. An addition to the two factor authentication with SMS-Passcode:
          I did just another security scan after implementing workaround 2 of CTX203775 including unbinding the pwcount cookie rewrite policy and had a very nice effect:
          The second pwcount cookie is set now to value 0 and also flagged both as Secure and HttpOnly. Maybe that is done by my rewrite action and policy that I have configured as explained in
          But the point is that the Netscaler seems not to need to read that cookie with that configuration and therefore allows that it is flagged as HttpOnly, too.
          This makes the workaround 2 the best solution when it comes to fulfill PCI-DSS-Compliance or high security needs.

  2. Hi Carl,

    I have a stupid issue with Netscaler 11.1 Build 48.10.
    I did some tests with two factor authentication and removed the secondary authentication settings afterwards from my virtual server. But the logon page still shows the Password 2 Field.
    I removed and recreated the virtual server (without secondary authentication settings) but the logon page still shows the Password 2 field.
    At last I created a new virtual server with another name and ip address also without secondary authentication but the Password 2 field pops up on that logon page, too.
    Do you have any idea how I can remove it?
    Also that Password 2 field shouldn’t pop up by default on a new virtual server. Any ideas why this happens and how to get rid of it?

    1. A cookie controls it. Same issue on different browsers/machines? Are you doing a rewrite to always create the pwcount cookie?

      1. Yes, it happens on other machines, too. And no, I’m not doing a rewrite to always create the pwcount cookie.
        Do I need to do that with single authentication, too?
        How is it done?

          1. I think it has to do with rewriting the pwcount cookie. I have found a solution on another site that explains how to do the rewrite when a two factor authentication is implemented.
            However I’m not sure how the rewrite policy expression should be defined in the case of a single authentication. At the moment I have created two rewrite policies, one with the expression “HTTP.REQ.HEADER(“Cookie”).CONTAINS(“pwcount”).NOT” and the other one with the expression “HTTP.REQ.HEADER(“Cookie”).CONTAINS(“pwcount”)” but I’m not so sure if it would make sense to bind both to the virtual server, especially on the long term. I did it for the moment and now the logon page doesn’t show the Password 2 field anymore. But how is it done correctly?

  3. I would just like to ask is it possible to use Radius and LDAP authentication on a single gateway virtual server and have some user login via LDAP and some using their RSAsecureID tokens?

    Also is Radius authentication supported for Web Interface on NetScaler as I have tried it and it authenticate successfully on the NetScaler and the RSA server but the Web Interface page does not launch or open?

    1. You can do this in AAA nFactor. Hopefully they add nFactor to Gateway too.

      Web Interface requires some sort of AD authentication. If Gateway doesn’t supply it then Web Interface should prompt you.

  4. Hi Carl,

    We have our Netscalers/Storefront and XA7.6 servers in a private visualized environment and need a MFA solution. Will Azure MFA work in this scenario with our current setup or do we need to have some sort of AD presence in Azure? Hope that makes sense.

    Thanks in advance.

  5. Soon as I posted my issue, I realized the error on my part, just needed to select the + next to Authentication to add a Radius policy. Sorry about that and thank you for all these great articles!

  6. Hello Carl, this is create but ran into an issue (this could be on me though, I’m still green at Netscalers). When I go to bind to the Virtual Server, I’m not able to select any of the Radius Policies that were created in the beginning. Only LDAP policies are listed. Did I possibly miss a step?

Leave a Reply