NetScaler Gateway 12 RADIUS Authentication

Last Modified: Sep 2, 2018 @ 7:53 am


Change Log

RADIUS Overview

One method of two-factor authentication to NetScaler Gateway is the RADIUS protocol with a two-factor authentication product (tokens) that has RADIUS enabled.

RADIUS Clients and Source IP – On your RADIUS servers, you’ll need to add the NetScaler appliances as RADIUS Clients. When NetScaler uses a local (same appliance) load balanced Virtual Server for RADIUS authentication, the traffic is sourced from the NetScaler SNIP (Subnet IP). When NetScaler uses a direct connection to a RADIUS Server without going through a load balancing Virtual Server, or uses a remote (different appliance) Load Balancing Virtual Server, the traffic is sourced from the NetScaler NSIP (NetScaler IP). Use the correct IP(s) when adding the NetScaler appliances as RADIUS Clients. And adjust firewall rules accordingly.

  • For High Availability pairs, if you locally load balance RADIUS, then you only need to add the SNIP as a RADIUS Client, since the SNIP floats between the two appliances. However, if you are not locally load balancing RADIUS, then you’ll need to add the NSIP of both appliances as RADIUS Clients. Use the same RADIUS Secret for both appliances.


Some two-factor products (e.g. SMS Passcode) require you to hide the 2nd password field. Receiver 4.4 and newer supports hiding the 2nd field if you configure a Meta tag in index.html.

Two-factor Policies Summary

NetScaler has two methods of multi-factor:

  • NetScaler Gateway Virtual Server has bind points for Primary and Secondary authentication. This functionality is available in all NetScaler Editions and is detailed in this post.
  • nFactor Authentication supports unlimited factors, but requires NetScaler Enterprise Edition or NetScaler Platinum Edition.

See the NetScaler 12 page for additional authentication mechanisms supported by NetScaler 12. Some require nFactor.

When configuring the NetScaler Gateway Virtual Server, you can specify both a Primary authentication policy, and a Secondary authentication policy. Users are required to successfully authenticate against both policies before being authorized for NetScaler Gateway.

For browser-based StoreFront, you need two authentication policies:

  • Primary = LDAPS authentication policy pointing to Active Directory Domain Controllers.
  • Secondary = RADIUS authentication policy pointing to RSA servers with RADIUS enabled.

For Receiver Self-service (native Receiver on mobile, Windows, and Mac), the authentication policies are swapped:

  • Primary = RADIUS authentication policy pointing to RSA servers with RADIUS enabled.
  • Secondary = LDAPS authentication policy pointing to Active Directory Domain Controllers.

If you need to support two-factor authentication from both web browsers and Receiver Self-Service, then you’ll need at least four authentication policies as shown below.


  • Priority 90 = RADIUS policy. Expression = REQ.HTTP..HEADER User-Agent CONTAINS CitrixReceiver
  • Priority 100 = LDAP policy. Expression = REQ.HTTP..HEADER User-Agent NOTCONTAINS CitrixReceiver


  • Priority 90 = LDAP policy. Expression = REQ.HTTP..HEADER User-Agent CONTAINS CitrixReceiver
  • Priority 100 = RADIUS policy. Expression = REQ.HTTP..HEADER User-Agent NOTCONTAINS CitrixReceiver

Create Two-factor Policies

Create an LDAP Server/Action

See the LDAP post for instructions. Only the server/action is needed. The Policies will be created later.

Create a RADIUS Sever/Action

  1. On the left, expand Authentication, and click Dashboard.
  2. On the right, click Add.
  3. Change Choose Server Type to RADIUS.
  4. Give the server a name.
  5. Specify the IP address of the RADIUS load balancing Virtual Server.
  6. Enter the secret key specified when you added the NetScalers as RADIUS clients on the RADIUS server. Click Test Connection.
  7. If you want NetScaler to receive AAA Group information from RADIUS, see CTX222260 Radius Group Extraction from Windows Server 2008/2012 with NetScaler/CloudBridge.  💡
    • RADIUS attribute = 26 (Vendor-Specific)
    • Vendor Code = 3845 (Citrix)
    • Vendor-assigned attribute number = any number (e.g. 1). Configure RADIUS policy on NetScaler with same attribute number.
    • Attribute value = Group Name
  8. Scroll down, and click Create.

    add authentication radiusAction RSA -serverIP -serverPort 1812 -radKey Passw0rd

Create Authentication Policies for LDAP and RADIUS

  1. Since you can’t create authentication policies from the authentication dashboard, go to NetScaler Gateway > Policies > Authentication > RADIUS.
  2. On the right, in the Policies tab, click Add.
  3. Name it RSA-ReceiverSelfService or similar.
  4. Select the RADIUS server created earlier.
  5. Enter an expression. You will need two policies with different expressions. The expression for Receiver Self-Service is REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver. Note: NetScaler 12 does not natively support Advanced Authentication Policies so you’ll have to create them as Basic Policies (classic expressions).
  6. Click Create.
  7. If you see a warning about deprecation, click OK, and ignore it.
  8. Create another RADIUS policy to match the ones shown below. Both RADIUS policies are configured with the same RADIUS server. The only difference between them is the expression (CONTAINS vs NOTCONTAINS):
    Name Expression Server
    RSA-ReceiverSelfService REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver RSA
    RSA-ReceiverForWeb REQ.HTTP.HEADER User-Agent NOTCONTAINS CitrixReceiver RSA

  9. Go to the NetScaler Gateway\Policies\Authentication\LDAP node.
  10. On the Policies tab, create two policies with the expressions shown below. Both LDAP policies are configured with the same LDAP server. The only difference between them is the expression (CONTAINS vs NOTCONTAINS).
    Name Expression Server
    LDAP-Corp-ReceiverSelfService REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver LDAP-Corp
    LDAP-Corp-ReceiverForWeb REQ.HTTP.HEADER User-Agent NOTCONTAINS CitrixReceiver LDAP-Corp

add authentication radiusPolicy RSA-ReceiverForWeb "REQ.HTTP.HEADER User-Agent NOTCONTAINS CitrixReceiver" RSA

add authentication radiusPolicy RSA-ReceiverSelfService "REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver" RSA

add authentication ldapPolicy Corp-Gateway-ReceiverForWeb "REQ.HTTP.HEADER User-Agent NOTCONTAINS CitrixReceiver" Corp-Gateway

add authentication ldapPolicy Corp-Gateway-ReceiverSelfService "REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver" Corp-Gateway

Bind Two-factor Policies to Gateway

  1. When you create or edit a NetScaler Gateway Virtual Server, bind the Basic Authentication Policies as shown in the following table. Priority doesn’t matter because they are mutually exclusive.
    Policy Name Type Bind Point
    LDAP-Corp-ReceiverForWeb LDAP Primary
    RSA-ReceiverSelfService RADIUS Primary
    LDAP-Corp-ReceiverSelfService LDAP Secondary
    RSA-ReceiverForWeb RADIUS Secondary

    bind vpn vserver -policy Corp-Gateway-ReceiverForWeb -priority 100
    bind vpn vserver -policy RSA-ReceiverSelfService -priority 110
    bind vpn vserver -policy RSA-ReceiverForWeb -priority 100 -secondary
    bind vpn vserver -policy Corp-Gateway-ReceiverSelfService -priority 110 -secondary
  2. The Session Policy/Profile for Receiver Self-Service needs to be adjusted to indicate which authentication field contains the Active Directory password. On the Client Experience tab is Credential Index. This needs to be changed to SECONDARY. Leave the session policy for Web Browsers set to Primary.

    set vpn sessionAction "Receiver Self-Service" -ssoCredential SECONDARY
  3. On the StoreFront server, when creating the NetScaler Gateway object, on the Authentication Settings page, change the Logon type to Domain and security token. This instructs Receiver to properly handle two-factor authentication. If you change this setting after Receiver has already performed discovery, then users might have to remove the Account from Receiver and re-add it.

18 thoughts on “NetScaler Gateway 12 RADIUS Authentication”

  1. Hi Carl, I have configured 2 factor authentication on our NetScaler for LDAPS and RADIUS. Login appears successful through the receiver however I get ‘cannot complete your request’.

  2. So can an NS be configured to support 2 step authentication ala having an SMS code sent to a mobile device instead of using an event-driven token or an OAUT app like google authenticator. Looking for the experience to be…

    – user logs in with username and password
    – RADIUS triggers an MFA request by way of SMS to users mobile
    – NS throws a prompt to enter the SMS code… login successful….

    As it stands when you enable the RADIUS auth it adds the code field to the login screen as a third box, at that point we havent yet got the code !

    Any suggestions ? or is this not possible…. If anyone knows this you will Carl !!

    Only asking this as we use Microsoft Multi Factor Authentication server for MFA, recently deprecated the phone calls option in preference for SMS (which works really well on our MS web based apps)

    NS integrates to it for RADIUS without issue but the order of events seems to not work…..

      1. In my Environment it seems not to work with NetScaler 12.1 I see the policy hits, but the 2nd password field is still showing up.
        Do i need to configure someting different with Netscaler 12.1?

  3. Hello Carl

    I have a Netscaler 12 VPX 1000 Enterprise license and would like to make 2 factor Auth against the storefront.
    I always get the error code 4020.
    Can you help me?

  4. I am using NetScaler Gateway 12.0-57.19 and I am also having this same problem. I use a NetScaler in Azure, with MFA authentication.The problem is only with iPhone, where it always asks for “Token” in the configuration. For Citrix Receiver in Windows everything is ok.

  5. Hi Carl,
    In your screenshot below Authentication there are no Advanced and Basic policies.Are the screenshots really from v12 ?
    Because Citrix is going to deprecate Basic policies how to do it with Advanced ones ? I created two advanced policies (LOCAL, LDAP) bind them to an authentication server with respectively 100 and 110 priority value (both have NEXT set up). Unfortunately I can see only one password field. If I move to Basic an create Primary and Secondary I can see two password fields. Does it mean Citrix plays tricks on me showing Deprecation warning message ?

    1. They seem to be encouraging nFactor. You can bind Advanced Authentication Policies to a AAA vServer, and then use an Authentication Profile to link it to a Gateway vServer. This requires NetScaler Enterprise Edition. It would certainly be easier if I can bind nFactor and Advanced Authentication Policies directly to Gateway.

      1. Thank you very much. Seems a new adventure is calling me now … Adventure with Authentication profiles …

  6. Hi Carl,
    We need to transition to duo from rsa for our 2 factor auth. Using the same url, is there an easy way to transition using the same gateway url?

  7. Carl,

    Is there a way of using the netscaler virtual server IP address to send to the radius server? Ultimately the NISP is sent. I need to have dedicated policies and profile on our Radius service which can be triggered by the the actual individual virtual servers IP addresses and not the NISP or SNIP

    1. You should be able to create a Net Profile that specifies the VIP, then bind the Net Profile to the Load Balancing Virtual Server.

  8. we tested with “domain and sedurity token” and domain only. we also added the provided meta tag.
    with domain only and the meta tag it is working for us. but we have then the 3rd field in the browser.
    if i add the rewrite policy to hide this in browser the receiver stopped working. 🙁
    it is so frustrating.

  9. Hi Carl, as always a realy helpful article. But something working wrong on my site. I configured all as you write above. Login from Web works fine by entering Username and Password, leaving Password2 empty. (Radius is challange/response) On iOS and Android also all is working fine. But on Windows Receiver (tested with 4.9 and 4.7) I have to enter the Password in the Password2 fiel. 🙁 Login is working fine after that.
    Do you know what I have configured wrong on my Netscaler?
    Best regards

Leave a Reply