NetScaler Gateway RADIUS Authentication

Last Modified: Jul 10, 2016 @ 2:07 pm


RADIUS Overview

For two-factor authentication using Azure Multi-factor Authentication, see Jason Samuel How to deploy Microsoft Azure MFA & AD Connect with Citrix NetScaler Gateway

Citrix CTX125364 How to Configure Dual Authentication on NetScaler Gateway Enterprise Edition for Use with iPhone and iPad

Some two-factor products (e.g. SMS Passcode) require you to hide the 2nd password field. Receiver 4.4 and newer supports hiding the 2nd field if you configure a Meta tag in index.html. See CTX205907 Dual-Password Field Shows in First Authentication When Connecting to NetScaler Gateway from Windows Receiver for instructions.

Two-factor authentication to NetScaler Gateway requires the RADIUS protocol to be enabled on the two-factor authentication product.

On your RADIUS servers, you’ll need to add the NetScaler appliances as RADIUS Clients. When NetScaler uses a local (same appliance) load balanced Virtual Server for RADIUS authentication, the traffic is sourced from the NetScaler SNIP (Subnet IP). When NetScaler uses a direct connection to a RADIUS Server without going through a load balancing Virtual Server, or uses a remote (different appliance) Load Balancing Virtual Server, the traffic is sourced from the NetScaler NSIP (NetScaler IP). Use the correct IP(s) when adding the appliances as RADIUS Clients. And adjust firewall rules accordingly.

For High Availability pairs, if you locally load balance RADIUS, then you only need to add the SNIP as a RADIUS Client since the SNIP floats between the two appliances. However, if you are not locally load balancing RADIUS, then you’ll need to add the NSIP of both appliances as RADIUS Clients. Use the same RADIUS Secret for both appliances.

Two-factor Policies Summary

When configuring the NetScaler Gateway Virtual Server, you can specify both a Primary authentication policy and a Secondary authentication policy. Users are required to successfully authenticate against both before being authorized for NetScaler Gateway.

For browser-based StoreFront, you need two authentication policies:

  • Primary = LDAPS authentication policy pointing to Active Directory Domain Controllers.
  • Secondary = RADIUS authentication policy pointing to RSA servers with RADIUS enabled.

For Receiver Self-service (native Receiver on mobile, Windows, and Mac), the authentication policies are swapped:

  • Primary = RADIUS authentication policy pointing to RSA servers with RADIUS enabled.
  • Secondary = LDAPS authentication policy pointing to Active Directory Domain Controllers.

If you need to support two-factor authentication from both web browsers and Receiver Self-Service, then you’ll need at least four authentication policies as shown below.


  • Priority 90 = RADIUS policy. Expression = REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver
  • Priority 100 = LDAP policy. Expression = REQ.HTTP.HEADER User-Agent NOTCONTAINS CitrixReceiver


  • Priority 90 = LDAP policy. Expression = REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver
  • Priority 100 = RADIUS policy. Expression = REQ.HTTP.HEADER User-Agent NOTCONTAINS CitrixReceiver

Create Two-factor Policies

Do the following to create the Two-factor policies:

  1. Create an LDAP policy/server.
  2. For RADIUS, on the left, expand NetScaler Gateway, expand Policies, expand Authentication, and click Radius.
  3. On the right, switch to the Servers tab. Click Add.
  4. Give the RADIUS server a name.
  5. Specify the IP address of the RADIUS load balancing Virtual Server.
  6. Enter the secret key specified when you added the NetScalers as RADIUS clients on the RADIUS server. Click Create.

    add authentication radiusAction RSA -serverIP -serverPort 1812 -radKey Passw0rd
  7. On the right, switch to the Policies tab, and click Add.
  8. Name it RSA-SelfService or similar.
  9. Select the RADIUS server created earlier.
  10. Enter an expression. You will need two policies with different expressions. The expression for Receiver Self-Service is HTTP.HEADER User-Agent CONTAINS CitrixReceiver.
  11. Click Create.

    add authentication radiusPolicy RSA-ReceiverForWeb "REQ.HTTP.HEADER User-Agent NOTCONTAINS CitrixReceiver" RSA
    add authentication radiusPolicy RSA-ReceiverSelfService "REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver" RSA
    add authentication ldapPolicy Corp-Gateway-ReceiverForWeb "REQ.HTTP.HEADER User-Agent NOTCONTAINS CitrixReceiver" Corp-Gateway
    add authentication ldapPolicy Corp-Gateway-ReceiverSelfService "REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver" Corp-Gateway
  12. Create another policy to match the ones shown below. Both RADIUS policies are configured with the same RADIUS server. The only difference between them is the expression (CONTAINS vs NOTCONTAINS)
    Name Expression Server
    RSA-SelfService REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver RSA

  13. Go to NetScaler Gateway\Policies\Authentication\LDAP. On the Policies tab, create two policies with the expressions shown below. Both LDAP policies are configured with the same LDAP server. The only difference between them is the expression (CONTAINS vs NOTCONTAINS).
    Name Expression Server
    LDAP-Corp-SelfService REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver LDAP-Corp
    LDAP-Corp-Web REQ.HTTP.HEADER User-Agent NOTCONTAINS CitrixReceiver LDAP-Corp

Bind Two-factor Policies to Gateway

  1. When you create the NetScaler Gateway Virtual Server, bind the policies as shown in the following table. Priority doesn’t matter because they are mutually exclusive.
    Policy Name Type Bind Point
    LDAP-Corp-Web LDAP Primary
    RSA-SelfService RADIUS Primary
    LDAP-Corp-SelfService LDAP Secondary
    RSA-Web RADIUS Secondary

    bind vpn vserver -policy Corp-Gateway-ReceiverForWeb -priority 100
    bind vpn vserver -policy RSA-ReceiverSelfService -priority 110
    bind vpn vserver -policy RSA-ReceiverForWeb -priority 100 -secondary
    bind vpn vserver -policy Corp-Gateway-ReceiverSelfService -priority 110 -secondary
  2. The session policy/profile for Receiver Self-Service needs to be adjusted to indicate which authentication field contains the Active Directory password. On the Client Experience tab or the Session Profile is Credential Index. This needs to be changed to SECONDARY. Leave the session policy for Web Browsers set to Primary.

    set vpn sessionAction "Receiver Self-Service" -ssoCredential SECONDARY
  3. On the StoreFront server, when creating the NetScaler Gateway object, change the Logon type to Domain and security token.

64 thoughts on “NetScaler Gateway RADIUS Authentication”

  1. I have setup my Netscaler to use OpenOTP (RCDevs) and it’s working fine. Recently they launched a OTP App with push functionality. I’ve got the Push functionality working on the OTP appliance. Has anybody integrated this in the Netscaler? (You enter your username and password, get a push message on your smartphone for the token code).

    1. Do they have NetScaler specific instructions?

      Does their product also handle Windows auth? Or is it OTP only? If OTP only, sometimes you have to hide the 2nd password field on NetScaler. If your product does both Windows and OTP, then you only need one auth server.

        1. Found the solution. Used the guide above. Normal OTP works. Force the OpenOTP to use LDAPOTP, otherwise it wil do only OTP. Fill in username + password + leave Code 2 or OTP field BLANK. Click logon and the push is send.

  2. Hi Carl,

    your post helped me a lot when needed most urgently! Thanks for that.

    One more question:
    How do I configure the text-box for the CITRIX Reciver logon box to display PASSCODE instead of Password 1 and Userpassword instead of Password 2?



    1. My NetScaler Gateway Virtual Server pages have instructions for customizing the logon page labels. What version of NetScaler?

        1. For Receiver, are you referring to after discovery? In that case, go to StoreFront > Manage NetScaler Gateways > edit the Gateway > change authentication to Domain and Security Token.

          Otherwise, I don’t think the Receiver logon field names are customizable. There’s a razor file on StoreFront that can be changed but I’ve had difficulty after changing it.

          1. I already made the settings in StoreFront.
            On first attempt I only had 1 LDAP-policy and 1 RADIUS-policy for the virtual server.
            At receiver logon I had USERID, Password and PASSCODE in this order. This didn’t work at all.
            After applying your settings for LDAP/RADIUS policies in this very post and it works like a charm but now receiver logon displays USERID, PASSWORD 1, PASSWORD 2 where PASSWORD 1 is the TOKEN and PASSWORD 2 is the USERPASSWORD.

          2. During Discovery, the fields should be correct.

            After Discovery, it uses the Gateway configuration that came down from the StoreFront provisioning file. Are you maybe doing Single FQDN, and the Internal Beacon isn’t configured correctly, so it doesn’t use Gateway auth like it should?

    2. You can change the logon properties of the page such as the labels for the page like Password 1 etc by editing the portal theme. You will need to create a custom Portal theme to edit it though.

  3. Carl, This worked great with Entrust Identity Guard. One question, how do I get RADIUS logging/accounting enabled and configured on the Netscalers so I can do some much needed reporting. Thanks in advance

  4. Hi Carl,

    I’m having trouble with the authentication between Netscaler 11 and my Radius server. It seems to be a time setting but i can’t get my finger on the problem:


    Oct 4 21:4403 10/04/2016:19:43:42 GMT NSGW 0-PPE-0 : default AAA Message 886 0 : “RADIUS auth: in process_radius: Authentication failed for user test from server – Invalid Credentials” = Netscaler appliance (NSGW) = Radius server

    Date on netscaler root:
    TUE Oct 4 19:43:42 CEST 2016

    1. If you run “date” on NetScaler, what time zone does it show?

      When you change the time zone, you must do a “cold reboot” of the NetScaler. A warm reboot won’t copy the time zone file correctly.

      Is your Syslog policy set to GMT instead of Local time?

    2. I had a similar situation. We ran the “test Connection” on the Authentication RADIUS server and it informed us that the shared secret didn’t match the Radius server. We had to change to a simple password with no special characters to get them to work. Once that was configured everything worked.

  5. Carl, do i need to install a radius server or do i have LDAP configured wrong on my netscaler, i continue to get this message with smart card logins. Thanks in advance

    AAA LOGIN_FAILED 210 0 : User – Failure_reason “External authentication server denied access” – Browser WTOS/1.0

    1. You can do “cat /tmp/aaad.debug” during login to see why the login is failing. I suspect that the certificate process is working but your LDAP might not be configured correctly.

      1. Thanks again Carl, i ran that command and now it shows

        ns_show_ldap_err_string LDAP error string: <>

        s_ldap_check_result LDAP action failed (error 49): Invalid credentials

        receive_ldap_user_bind_event Other invalid credentials: lctx->lflags = 00000000, lconf->flags = 00000004
        Fri Aug 19 15:24:10 2016
        /usr/home/build/rs_105_61_6_RTM/usr.src/netscaler/aaad/naaad.c[2263]: send_reject_with_code Rejecting with error code 4001

        I could have many issues, do i have to create, change, or add a session policy in addition to the samaccount for smart cards?

        1. This usually means the Bind account is invalid.

          Or it extracted UPN from the certificate and you didn’t specify UPN as the logon attribute in LDAP.

          1. OK, we may be getting close, I followed your guide of Netscaler gateway LDAP Authentication and verified the bind account can bind to ldap. I then scrolled down and found two ways to configure UPN, first i create a second ldap policy and used UPN in the server logon name attribute, do i fill in any other boxes in the other settings?

            I now get this

            receive_ldap_user_bind_event Other invalid credentials: lctx->lflags = 00000000, lconf->flags = 00000004
            Fri Aug 19 16:24:37 2016
            /usr/home/build/rs_105_61_6_RTM/usr.src/netscaler/aaad/naaad.c[2263]: send_reject_with_code Rejecting with error code 4001

  6. Hi Carl…

    Would like to know if its possible to use RADIUS as the only method of authentication with Citrix Netscalers for both Laptop/Desktop and mobile devices.

    Note: We are planning to use PingID (Cloud Solution) as the Multifactor solution for Citrix Netscaler. Here I will be using the PingFederate (In-House) server to act as a RADIUS server. The PingFederate gets the RADIUS request and it forwards the same to the PingID for Second-Factor authentication. This is the reason as to why I would like to use the RADIUS as a single factor authentication.


    1. If you are connecting to XenApp/XenDekstop, then ultimately, you must login to Windows, which is either password or certificate. Maybe Federated Authentication Services can handle the Windows authentication. Or maybe your RADIUS server can return the user’s AD password.

      1. The RADIUS server can return the User’s AD password and we are using both XenDesktop/XenApp. So I would like to know on how do I proceed with the configuration.

          1. Not sure. But I will look at this and let you know. I am new to Citrix Netscaler. I want users to authenticate using their username and password only. This authentication should go through the RADIUS instead of the LDAP. The second password / passcode option should not be visible to the users.

          2. Then don’t bind the LDAP policy to the Gateway vServer. If the RADIUS password and the AD password are the same, then SSON to StoreFront should work. If they are different, then configure Password Return and NetScaler will use that password to SSON to StoreFront.

  7. Perfect article, Carl !! You mentioning article CTX205907 – how to hide 2nd password field for Receiver 4.4; Any supported method to hide 2nd password field for Mobile Devices (iOS/Android)?

  8. Would this work for Web Interface as well for a site that’s setup to authenticate “Gateway Direct”

    1. Yes.

      “Gateway Direct” is how ICA is routed and has nothing to do with authentication.

      When you create the Web Interface site, you’re asked where authentication is performed. You need to select “At Access Gateway”. If you didn’t do this, then you’ll have to delete the Web Interface site and re-create it.

      1. Right, got it a little backwards. I’ve set this up with “At Access Gateway” as the authentication point with the authentication service URL pointing to https://gatewayfqdn:443/citrixauthservice/authservice.asmx. I’ve got the NetScaler LDAP and Radius polices in place and the RSA Radius Client and Agent setup on its portal. Since I’ve done this I can put in the user/pass/token and it authenticates but then dies at the web interface with a 401 – Unauthorized error. It works fine with out the RADIUS policies associated.

        Not sure if I need to install the RSA Security Center on the Web Interface or not. I mostly wanted to make sure this was doable first and foremost before diving down a rabbit hole.

        1. It should work. NetScaler should be sending the LDAP credentials to Web Interface.

          What error are you seeing in Application Log in Event Viewer?

          1. No errors are showing, I’ll make sure the policies are right and I didn’t mistype / attach them and see if that takes care of it.

          2. Did you swap the the credentials so RADIUS is first? If RADIUS is first, make sure the session policy has Credential Index set to Secondary.

  9. Hi Carl, thanks for your support, i done this implementation and all works well, ecept when the user lock the mobile device (ipda) and retry to reconnect the receiver prompt me only one password request and le login don’t works

    thanks for your response

  10. Carl,

    New to NetScaler here. Can NetScalers and NetScaler Gateway be configured to where the Virtual instance that the users access (web portal) use multiple authentication methods such as:

    If External users:

    If Internal Users:
    User ID Password

    Also is there a way if this can be done the user has the ability to select which authentication method or if it does not detect Smartcard it goes to the other method?

    1. Not in the current release. This can be done in AAA with nFactor but not on NetScaler Gateway.

      For internal vs external, you can do split DNS. Or two Gateway vServers on the same VIP but with listener policies.

  11. Thanks for the document Carl. Do you know if Netscaler keeps a log of all the authentication calls to RADIUS such as Azure. We had a user who was able to log onto Citrix without getting a phone call from Azure. There was no activity for this user at the time she logged on in Azure but we were able to see that she did log onto Citrix from the Windows Event Log. This is the only time its been reported to us that this has happened but it would be interesting to see if there was a log entry in Netscaler and a reason why this user was allowed to log on without two-factor authentication. We have not been able to reproduce.

    1. Maybe in Syslog. Are you exporting Syslog to a remote Syslog server?

      NetScaler 11 increases AAA logging. There’s an Authentication node where you can view the auth log.

  12. Dear Carl,

    I have implemented securenvoy to work with netscaler which is installed in different network.

    I have Created Authontication Policy which is pointed to SecureEnvoy with this port 1812.

    What is the communication port from securenvoy til Netscaler ?

    Thank you in advance.


    Basem Shalabi

    1. It should reply on whatever random port NetScaler uses for source port. This is no different than any other communication and your firewall should handle it automatically.

      1. Thank you Carl for your response… I have an issue in Authontication part. It seems securenvoy does authonticate the user, i have this logs which i got it from wireshark also i saw goes from NSIP to securenvoy,

        29245 11.862977010 RADIUS 114 Access-Reject(3) (id=82, l=20)

        [truncated]Syslog message: LOCAL0.WARNING: 02/11/2016:14:43:19 GMT vpxgw 0-PPE-0 : AAA LOGIN_FAILED 555429 0 : User basemsh – Client_ip – Failure_reason “External authentication server denied access” – Browser Mozilla/5.0.

        Would you please advise.

        Thank you for your cooperation.

        Best Regards,

        1. I can’t remember if the RADIUS monitor uses NSIP or not. But if you load balance locally then the RADIUS auth requests will definitely come from the SNIP.

  13. Carl, great post. Thank you for providing this. I have one question. Have you or know of anyone who has deployed MFA with the Symantec VIP solution. I am needing to obtain all the AD group information for the user once VIP authenticates them. VIP does not provide the group information to the netscaler.

    thank you


  14. Carl

    I have a question for you. We are doing Displaying of Bookmarks based on AAA Groups linked to AD Groups. Want to use DUO/Radius Authentication only as Primary. No LDAP as doing both through DUO. Does not work out of the box. Thoughts on that?

    1. Is your RADIUS server passing groups as RADIUS attributes? If so then you need to configure the RADIUS policy to use that attribute.

      1. Citrix has a guide for integrating with Microsoft NPS that shows how RADIUS attributes are used for authorization.

  15. Hi Carl,
    I have found your articles very useful.
    I am setting up multifactor radius auth on netscaler with safenet. The two servers are in the cloud.
    Would it be better to setup a LB vip for these two servers, nat it at our firewall and add as a radius client ?
    Atm I have both AG VIPs for Citrix storefronts Natted at the FW and the public IPs set as radius clients.

    1. The RADIUS client IP will be SNIP or NSIP, depending on if load balancing or not. It won’t be the VIP. In a HA Pair, SNIP floats between the two appliances. NSIPs are unique to each node.

  16. Excellent article – thankyou for posting.

    Quick question regarding external RADIUS/Signify. Do you think its best to still create an Internal LB with the Primary / Secondary Signify Servers in the Service Group (using their external IPs) as you would with internal RSA servers?

    This way the address going out the web is then the SNIP so you have a single source IP, also do you need to NAT you NS SNIP to a Public IP, or can you just specify the source address as the F/W address which would be the source of the traffic without the NAT? – this way irrespective of whether you use monitors/SNIP or MIP, or if you have a HA cluster, the source IP will remain the same?

    1. I would probably load balance so single IP. You can use the default NAT if you’re willing at allow any internal IP to communicate with RADIUS. Or you can do a new NAT for the SNIP to restrict RADIUS to just the NetScaler.

      1. Excellent, thanks Carl.
        I have gone with the Single VIP (fronting two External Signify servers), with the Source IP being the f/w as the tier only has NetScalers within it, that way it will only be single source IP whether the monitors come from the BSD Kernel or not, and if the NetScalers failover.
        Having a Single LB VIP for all RADIUS really simplifies the Profiles too, as you can have a single set rather that need different policies/profiles for each RADIUS server.
        Thanks again, great Blog!!!

  17. Hey there, Carl.

    Thanks for all the great guides you’re writing, they’ve been a great help!

    You have a small error though at the to. You wrote HTTP.REQ.HEADER instead of REQ.HTTP.HEADER.

  18. Hello Carl,

    Its really a very helpful. I am new for AG and cant get understand where should need to put the rsa config file on netscaler? Please can you help me?

  19. Hey Carl, love your work – it’s been a great help. I think I noted a typo in this one, where you have listed the auth policies for both browser and native connections under secondary you have listed LDAP for the browser which I think should be Radius.

  20. Hi Carl, I need to send radius authentication to different radius servers based on users domain they select via drop down field.
    Can I use the cookie CONTAINS “domain” like I’m using with the LDAP authentications?

    1. That should work. Put the Cookie expression in in your RADIUS policy and it should only use the one that matches the cookie.

Leave a Reply