RADIUS Authentication – NetScaler Gateway 12 / Citrix Gateway 12.1

Last Modified: Sep 21, 2019 @ 3:48 pm

Navigation

Change Log

RADIUS Overview

One method of two-factor authentication to Citrix Gateway is the RADIUS protocol with a two-factor authentication product (tokens) that has RADIUS enabled.

RADIUS Clients and Source IP – On your RADIUS servers, you’ll need to add the ADC appliances as RADIUS Clients. When ADC uses a local (same appliance) load balanced Virtual Server for RADIUS authentication, the traffic is sourced from the ADC SNIP (Subnet IP). When ADC uses a direct connection to a RADIUS Server without going through a load balancing Virtual Server, or uses a remote (different appliance) Load Balancing Virtual Server, the traffic is sourced from the ADC NSIP (ADC Management IP). Use the correct IP(s) when adding the ADC appliances as RADIUS Clients. And adjust firewall rules accordingly.

  • For High Availability pairs, if you locally load balance RADIUS, then you only need to add the SNIP as a RADIUS Client, since the SNIP floats between the two appliances. However, if you are not locally load balancing RADIUS, then you’ll need to add the NSIP of both appliances as RADIUS Clients. Use the same RADIUS Secret for both appliances.

Links:

Some two-factor products (e.g. SMS Passcode) require you to hide the 2nd password field. Receiver 4.4 and newer supports hiding the 2nd field if you configure a Meta tag in index.html.

Two-factor Policies Summary

ADC has two methods of multi-factor:

  • Citrix Gateway Virtual Server has bind points for Primary and Secondary authentication. This functionality is available in all ADC Editions and is detailed in this post.
  • nFactor Authentication supports unlimited factors, but requires ADC Advanced Edition (formerly known as Enterprise Edition) or ADC Platinum Edition.

See the ADC 12 page for additional authentication mechanisms supported by NetScaler 12 and ADC 12.1. Some require nFactor.

When configuring the Citrix Gateway Virtual Server, you can specify both a Primary authentication policy, and a Secondary authentication policy. Users are required to successfully authenticate against both policies before being authorized for Citrix Gateway.

For browser-based StoreFront, you need two authentication policies:

  • Primary = LDAPS authentication policy pointing to Active Directory Domain Controllers.
  • Secondary = RADIUS authentication policy pointing to RSA servers with RADIUS enabled.

For Receiver Self-service (native Receiver on mobile, Windows, and Mac), the authentication policies are swapped:

  • Primary = RADIUS authentication policy pointing to RSA servers with RADIUS enabled.
  • Secondary = LDAPS authentication policy pointing to Active Directory Domain Controllers.

If you need to support two-factor authentication from both web browsers and Receiver Self-Service, then you’ll need at least four authentication policies as shown below.

Primary:

  • Priority 90 = RADIUS policy. Expression = REQ.HTTP..HEADER User-Agent CONTAINS CitrixReceiver
  • Priority 100 = LDAP policy. Expression = REQ.HTTP..HEADER User-Agent NOTCONTAINS CitrixReceiver

Secondary:

  • Priority 90 = LDAP policy. Expression = REQ.HTTP..HEADER User-Agent CONTAINS CitrixReceiver
  • Priority 100 = RADIUS policy. Expression = REQ.HTTP..HEADER User-Agent NOTCONTAINS CitrixReceiver

Create Two-factor Policies

Create an LDAP Server/Action

See the LDAP post for instructions. Only the server/action is needed. The Policies will be created later.

Create a RADIUS Server/Action

  1. On the left, expand Authentication, and click Dashboard.
  2. On the right, click Add.
  3. Change Choose Server Type to RADIUS.
  4. Give the server a name.
  5. Specify the IP address of the RADIUS load balancing Virtual Server.
  6. Enter the secret key specified when you added the ADCs as RADIUS clients on the RADIUS server. Click Test RADIUS Reachability.
  7. Scroll down, and click More.
  8. Find the Password Encoding drop-down. Change it to mschapv2 if your RADIUS server supports it, c. Microsoft NPS requires mschapv2 to support changing expired Active Directory passwords. 💡
  9. If you want ADC to receive AAA Group information from RADIUS, see CTX222260 Radius Group Extraction from Windows Server 2008/2012 with NetScaler/CloudBridge.
    • RADIUS attribute = 26 (Vendor-Specific)
    • Vendor Code = 3845 (Citrix)
    • Vendor-assigned attribute number = any number (e.g. 1). Configure RADIUS policy on ADC with same attribute number.
    • Attribute value = Group Name
  10. Click Create.

    add authentication radiusAction RSA -serverIP 10.2.2.210 -serverPort 1812 -authTimeout 60 -radKey Passw0rd -passEncoding mschapv2

Create Authentication Policies for LDAP and RADIUS

  1. Go to Citrix Gateway > Policies > Authentication > RADIUS.
  2. On the right, in the Policies tab, click Add.
  3. In the Create Authentication RADIUS Policy page:
    1. Name the policy RSA-ReceiverSelfService or similar.
    2. Select the RADIUS server created earlier.
    3. Enter an expression. You will need two policies with different expressions. The expression for Receiver Self-Service is REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver.
      Note: Citrix Gateway 12.1 does not natively support binding of Advanced Authentication Policies so you’ll have to create them as Basic Policies (classic expressions). You can only bind Advanced Authentication Policies using nFactor.
  4. Click Create.
  5. If you see a warning about deprecation, click OK, and ignore it.
  6. Create another RADIUS policy to match the ones shown below. Both RADIUS policies are configured with the same RADIUS server. The only difference between them is the expression (CONTAINS vs NOTCONTAINS):
    Name Expression Server
    RSA-ReceiverSelfService REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver RSA
    RSA-ReceiverForWeb REQ.HTTP.HEADER User-Agent NOTCONTAINS CitrixReceiver RSA

  7. Go to the Citrix Gateway\Policies\Authentication\LDAP node.
  8. On the Policies tab, create two policies with the expressions shown below. Both LDAP policies are configured with the same LDAP server. The only difference between them is the expression (CONTAINS vs NOTCONTAINS).
    Name Expression Server
    LDAP-Corp-ReceiverSelfService REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver LDAP-Corp
    LDAP-Corp-ReceiverForWeb REQ.HTTP.HEADER User-Agent NOTCONTAINS CitrixReceiver LDAP-Corp

add authentication radiusPolicy RSA-ReceiverForWeb "REQ.HTTP.HEADER User-Agent NOTCONTAINS CitrixReceiver" RSA

add authentication radiusPolicy RSA-ReceiverSelfService "REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver" RSA

add authentication ldapPolicy Corp-Gateway-ReceiverForWeb "REQ.HTTP.HEADER User-Agent NOTCONTAINS CitrixReceiver" Corp-Gateway

add authentication ldapPolicy Corp-Gateway-ReceiverSelfService "REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver" Corp-Gateway

Bind Two-factor Policies to Gateway

  1. When you create or edit a Citrix Gateway Virtual Server, bind the Basic Authentication Policies as shown in the following table. Priority doesn’t matter because they are mutually exclusive.
    Policy Name Type Bind Point
    LDAP-Corp-ReceiverForWeb LDAP Primary
    RSA-ReceiverSelfService RADIUS Primary
    LDAP-Corp-ReceiverSelfService LDAP Secondary
    RSA-ReceiverForWeb RADIUS Secondary

    bind vpn vserver gateway.corp.com -policy Corp-Gateway-ReceiverForWeb -priority 100
    
    bind vpn vserver gateway.corp.com -policy RSA-ReceiverSelfService -priority 110
    
    bind vpn vserver gateway.corp.com -policy RSA-ReceiverForWeb -priority 100 -secondary
    
    bind vpn vserver gateway.corp.com -policy Corp-Gateway-ReceiverSelfService -priority 110 -secondary
    
  2. The Session Policy/Profile for Receiver Self-Service needs to be adjusted to indicate which authentication field contains the Active Directory password. On the Client Experience tab is Credential Index. This needs to be changed to SECONDARY. Leave the session policy for Web Browsers set to Primary.

    set vpn sessionAction "Receiver Self-Service" -ssoCredential SECONDARY
  3. On the StoreFront server, when creating the NetScaler Gateway object, on the Authentication Settings page, change the Logon type to Domain and security token. This instructs Receiver / Workspace app to properly handle two-factor authentication. If you change this setting after Receiver / Workspace app has already performed discovery, then users might have to remove the Account from Receiver / Workspace app and re-add it.

67 thoughts on “RADIUS Authentication – NetScaler Gateway 12 / Citrix Gateway 12.1”

  1. Hi Carl,

    By default Netscalar gateway ask for username, Password and Password2 in the same login page. Is there a way to configure it to ask for Username and Password in one page and Password2 in the next page.

    Say, I have LDAP as primary authentication and RADIUS as secondary authentication (i am entering an RSA passcode and contacting RSA radius server to get authenticated). So what i want is to enter username and LDAP password on the first page and just RSA passcode on the second page. is there a way to break up the Netscalar login page to allow this ?

    Thanks!

      1. thanks for the quick response. Apart from nFactor is there any other way to achieve this? I just wanted to confirm nFactor is the only way to do this.

        1. Duo RADIUS sends a RADIUS challenge instead of requiring the user to enter a passcode on the first page. I’m not sure if RSA supports something similar. Otherwise, nFactor is the best option.

    1. Hi Carl,

      Is there a way to set radius besides using the Netscaler Gateway option. Right now I have virtual servers under “load balancing” and I’ll like to set the Radius authentication under this option.

      Thank you!

      1. You can add a AAA (Authentication) vServer and bind it to the LB vServer. NetScaler will prompt the user to authenticate before allowing access to the website.

  2. Just wanted to give a shout and say Thank You for the time you put into these articles. We’ve been battling a migration to new 7.15 environment with doubleNAT DMZ and 2FA, and your insights have been crucial along the way. We routinely refer to you as “Our Guy Carl Who Knows Everything About Citrix…” Keep up the great work!

  3. Hello Carl, thanks you for the loads of information.
    We are using Netscaler with Radius for 2 factor authentication.
    When connecting from browser, ldap and token is required.
    In the native Citrix Workspace, the sms token is only asked after creating the account. Next time I can login without the token. The device seems to stay validated. Is there a timeout so that next time a user logs on, sms token is asked again ?

    1. If the Internal Beacon is reachable, then Workspace will connect directly to StoreFront, which doesn’t require MFA. If Internal Beacon is not reachable, then Workspace uses the Gateway authentication settings configured in StoreFront Console > Manage NetScaler Gateways > Edit > Authentication. It should be set to Domain + Token.

      1. That’s what I expected too! When I’m connecting from WAN with Workspace App, the first time I need to create an account. I’m asked for loginname, password and after the a new field for sms token is presented.. Login works fine!.When I then logoff Citrix Workspace, or reboot my laptop and login into the Workspace App, online loginname and password is asked. The sms token is never asked again. My apps are presented and I start the apps without problems. I would like the sms token in Workspace App to expire e.g. within one hour or half an hour. So next time I login to the Workspace App there will also be a sms token required.
        Thanks for commenting!

  4. This is an awesome article. I’m quite new to Netscaler and with your help I managed to set up LDAP and Radius authentication. From netscaler point of view everything looks fine. Radius monitor authenticates successfully. LDAP without Radius works perfectly. But I’m not able to login with LDAP & Radius because my token seems to be in new-pin mode. The window to set a new pin/passcode doesn’t come up. aaad.debug shows successful LDAP auth but rejected Radius auth. Any idea what I’m doing wrong? Thanks

  5. Hi Carl,

    somehow i cannot reply to your previous answer.

    My netscaler is just connected to the RADIUS Server, so no directly Active Directory connection at all. Is there a way to just use the successful RADIUS Login to connect to the store ?

    So without any further passthrough or login?

    Regards,
    Sanchez

    1. Ultimately the user will need to log into a VDA machine, which requires Active Directory authentication. StoreFront needs Active Directory username to determine which icons the user is entitled to see.

  6. Hi Carl

    Is there a way to have 2 RADIUS authentication bound to the same Virtual Server and direct the user to the correct one based on AD group membership?

    The use case for this would be when having 2 MFA providers.

    Thanks

    1. With nFactor, yes. nFactor can extract LDAP group membership and then user group membership to choose the next factor.

    1. Just put RADIUS in primary and LDAP in secondary. Users will then be prompted for RADIUS first and LDAP second so you’ll have to edit your Portal Theme labels correctly. You can also swap the fields on the Portal Theme but that requires hacking the HTML code.

      1. Thanks Carl. I already changed RADIUS as the primary authentication and LDAP as secondary. But client is interested in seeing it in the login portal also.

        Is there any citrix blog talks about editing the html page for changing it. Unfortunately not found one.

        1. Depends on the theme. For non-RFWEBUI (e.g. X1), you can modify the gateway_login_form_view.js file to swap the password fields. Then use the normal process to change the labels.

  7. Hi Carl, thank you for your outstanding site. I need help with our unique configuration. We have two factor (RSA and AD) but not from one screen. Users prompted for RSA ID and token and after successful authentication redirected to Citrix Web Interface for AD password. I am trying to migrate the same to StoreFront but cannot find the correct settings. I found this https://support.citrix.com/article/CTX237625 but as usual with Citrix documentation they seem to be missing something. Any advice is greatly appreciated. Thanks

  8. Hi Carl,

    Thanks for your response.
    Can you help me please what would be the configuration changes that I need to do in storefront and Netscaler 12.1? Already unchecked single sign-on to web applications under clients experience in Netscaler.

    In storefront already did the trial an error config but to no avail still the cannot complete error persist. Thanks Carl.

    Regards,
    John

  9. Hi Carl,

    I followed the above article it is very useful, but after providing radius token it goes back to ” Can not complete Request” and if i remove radius and use LDAP authentication works fine and application launches fine

      1. Hi Carl,

        Thanks for this article.

        I got ‘cannot complete request error’ too while doing radius authentication.
        I’m using only Radius(without LDAP).

        Tried to gather logs also via aaad.debug and got the below message error.
        I was able to authenticate successfully based on the logs.

        error message:
        process_radius 0-71: extracted group string :(null)

        Hope you could help me on this. Thanks Carl!

        Regards,
        John

        1. Are users entering their AD password into the RADIUS field? If not, then it’s not possible to do Single Sign-on from NetScaler to StoreFront and you’d have to make some changes to StoreFront.

          1. Hi Carl,

            im having trouble with the “cannot complete your request” error too.

            I followed your guide to configure RADIUS authentication.

            The aaadebug shows me that the authentication is successful and ends with “sending accept to kernel for: user@domain”.

            In the windows Event-Viewer, i get the Event ID´s 7 and 10.

            I want to delegate the whole authentication to the netscaler, which is connected with a RADIUS Server in a different domain.

            Do you got any tips to solve this issue?

            Regards,
            Sanchez

          2. Does NetScaler have access to the user’s Active Directory password? If not, then you’ll need to follow the instructions in the FAS article, especially related to configuring StoreFront to delegate authentication to NetScaler. https://www.carlstalhood.com/citrix-federated-authentication-service-saml/

            I assume it has access to the user’s Active Directory username.

            Another option is to configure StoreFront to prompt the user for Active Directory credentials. https://support.citrix.com/article/CTX200066

  10. Hi Carl,
    Just wondering if you can help me. I need to do the following with my NetScaler 12.1 appliance:
    1. Use a single SSL VPN endpoint to provide MFA via Azure MFA server (Azure MFA will handle both Windows and Radius auth)
    2. Apply different session policies based on AD user group, logic is If user is member of Group A, apply session policy with Split Tunneling off if user is member of Group B, apply session policy with Split Tunneling on.
    3. Access to SSL VPN is provided by the NetScaler Gateway client only

    Are you able to advise what is the best way to achieve this?

    Your help would be much appreciated.

    Thanks

    1. Which particular step do you need guidance on?

      If Azure MFA Server, enable the LDAP listener, and configure NetScaler to use LDAP so it can get the user’s groups. It’s more difficult with RADIUS.

      Once you have groups, then the rest is standard.

      1. Hi Carl,
        Thanks for the prompt response. I’ve configured the NetScaler Gateway to use Radius as it’s primary authentication and Azure MFA Server. This works great. Where I’m struggling is to understand the process I need to go through to get the NetScaler to grab the AD Groups so I can use them for Session policy assignment.

        Configuration I have used is based on this article http://download.microsoft.com/download/1/A/4/1A482764-4A63-45C2-A5EC-2B673ACCDD12/Citrix_NS_Azure_MFA_RADIUS.docx

        Regards.

        1. The MFA Server has an option to listen using LDAP instead of RADIUS. Then you configure NetScaler to talk to MFA Server using LDAP instead of RADIUS. I think MFA Server will send back the user’s groups using LDAP.

  11. Unable to hide the passcode field in receiver / workspace client under NetScaler 12.1 where it was working fine using the well documented rewrite policy under NetScaler 12.0.

    Does anyone have any information on how to achieve the same under NetScaler 12.1?

    1. You’re doing this with the X1 theme? What procedure? I recently followed Duo’s procedure and I couldn’t get it to work until I failed over over my HA pair. Something was cached.

  12. Changing the logon type to “Domain and security token” is valid for ReceiverSelfService only or ReceiverforWeb as well?

    1. Just for ReceiverSelfService. It controls the authentication settings in the provisioning file, which is read by ReceiverSelfService.

      1. Thanks Carl. I have load balanced Defender servers on the NetScaler. I gave the the SNIP to Defender guys to create an agent (client). Am I doing it right?
        What should be the username and password for Defender while creating the Monitor?

        1. For RADIUS monitor, you want a username that has a static password. Or, set your RADIUS monitor to look for result code 3, which means that RADIUS rejected the authentication request. However, rejected requests usually fill up the logs on the RADIUS server.

  13. Hi Carl, I have configured 2 factor authentication on our NetScaler for LDAPS and RADIUS. Login appears successful through the receiver however I get ‘cannot complete your request’.

  14. So can an NS be configured to support 2 step authentication ala having an SMS code sent to a mobile device instead of using an event-driven token or an OAUT app like google authenticator. Looking for the experience to be…

    – user logs in with username and password
    – RADIUS triggers an MFA request by way of SMS to users mobile
    – NS throws a prompt to enter the SMS code… login successful….

    As it stands when you enable the RADIUS auth it adds the code field to the login screen as a third box, at that point we havent yet got the code !

    Any suggestions ? or is this not possible…. If anyone knows this you will Carl !!

    Only asking this as we use Microsoft Multi Factor Authentication server for MFA, recently deprecated the phone calls option in preference for SMS (which works really well on our MS web based apps)

    NS integrates to it for RADIUS without issue but the order of events seems to not work…..

      1. In my Environment it seems not to work with NetScaler 12.1 48.13.nc.. I see the policy hits, but the 2nd password field is still showing up.
        Do i need to configure someting different with Netscaler 12.1?

        1. I appear to have the same issue running NetScaler 12.1 although I am only really concerned with hiding the passcode field in the receiver client. This was previously working under NetScaler 12.0 using the well documented X-Citrix-AM-GatewayAuthType = SMS rewrite action

        2. What I had to do was remove the secondary authentication (which only adds a PIN box) and change primary authentication to RADIUS at which point you see username and PIN on the one screen and no prompts for another PIN.

          1. If you have a single authentication server (e.g. NPS plus Azure MFA) that can do both authentication steps, then that’s the easiest configuration for NetScaler. However, users might not be able to change their expired AD passwords.

  15. Hello Carl

    I have a Netscaler 12 VPX 1000 Enterprise license and would like to make 2 factor Auth against the storefront.
    I always get the error code 4020.
    Can you help me?

  16. I am using NetScaler Gateway 12.0-57.19 and I am also having this same problem. I use a NetScaler in Azure, with MFA authentication.The problem is only with iPhone, where it always asks for “Token” in the configuration. For Citrix Receiver in Windows everything is ok.

  17. Hi Carl,
    In your screenshot below Authentication there are no Advanced and Basic policies.Are the screenshots really from v12 ?
    Because Citrix is going to deprecate Basic policies how to do it with Advanced ones ? I created two advanced policies (LOCAL, LDAP) bind them to an authentication server with respectively 100 and 110 priority value (both have NEXT set up). Unfortunately I can see only one password field. If I move to Basic an create Primary and Secondary I can see two password fields. Does it mean Citrix plays tricks on me showing Deprecation warning message ?

    1. They seem to be encouraging nFactor. You can bind Advanced Authentication Policies to a AAA vServer, and then use an Authentication Profile to link it to a Gateway vServer. This requires NetScaler Enterprise Edition. It would certainly be easier if I can bind nFactor and Advanced Authentication Policies directly to Gateway.

      1. Thank you very much. Seems a new adventure is calling me now … Adventure with Authentication profiles …

  18. Hi Carl,
    We need to transition to duo from rsa for our 2 factor auth. Using the same url, is there an easy way to transition using the same gateway url?
    thanks,
    Zach

  19. Carl,

    Is there a way of using the netscaler virtual server IP address to send to the radius server? Ultimately the NISP is sent. I need to have dedicated policies and profile on our Radius service which can be triggered by the the actual individual virtual servers IP addresses and not the NISP or SNIP

    1. You should be able to create a Net Profile that specifies the VIP, then bind the Net Profile to the Load Balancing Virtual Server.

  20. we tested with “domain and sedurity token” and domain only. we also added the provided meta tag.
    with domain only and the meta tag it is working for us. but we have then the 3rd field in the browser.
    if i add the rewrite policy to hide this in browser the receiver stopped working. 🙁
    it is so frustrating.

  21. Hi Carl, as always a realy helpful article. But something working wrong on my site. I configured all as you write above. Login from Web works fine by entering Username and Password, leaving Password2 empty. (Radius is challange/response) On iOS and Android also all is working fine. But on Windows Receiver (tested with 4.9 and 4.7) I have to enter the Password in the Password2 fiel. 🙁 Login is working fine after that.
    Do you know what I have configured wrong on my Netscaler?
    Best regards
    Beat

Leave a Reply to Martinho Cancel reply