Jump to content
Welcome to our new Citrix community!

RSA / LDAP dual auth with netscaler VPX 200

Recommended Posts

We finally were able to get our RADIUS system connected - so we now have our LDAP Policy and RADIUS policies setup via Basic Authentication policies. 


After trying to figure out why the second password field was not appearing we found there was a authentication profile, with an advanced authentication profile tied to the NetScaler Gateway - and it appeared this was overriding the basic authentication policies that we had put in place.


I unbinded the advanced authentication policy and removed the authentication profile from the Netscaler Gateway.  


The two items related to Authenication that are still tied to the Netscaler Gateway are the ldapPolicy and the RADIUS policy.


We are logging in via the web browser so I am making the ldapPolicy the primary and the ldapPolicy my secondary policy.  


Both servers are binded and are showing that they are connected.  Both basic policies are bound and showing they are connected.  


I attempt to enter in my information - username / password (AD) and my RSA Token (for my second user passcode).  


Here is the error message that is appearing after we click the logon button.  


No active policy is found in Primary authentication cascade
Please contact your administrator.


Any ideas on why it is showing as there is no active policies but I have 2 basic authentication policies? 

Link to comment
Share on other sites

Are you trying to separate LDAP and RADIUS authentication (in case a user will get radius when he comes without Citrix Receiver and LDAP when he comes with Receiver) or do you need two policies to make your RADIUS product working?

I haven't configured RSA for a long time, so I am not exactly sure how they are implemented within NetScaler, but I know RADIUS solutions which requires a primary LDAP and a secondary RADIUS authentication policy, both set to ns_true. 

Currently, when you come via browser, your policy is set to only use the RADIUS policy because your browser obviously doesn't contain CitrixReceiver User-Agent Header.

That's why NetScaler prompts the error message, because it won't use the LDAP Policy and cannot verify your LDAP credentials.

If you just want LDAP and RADIUS for all users, no matter if they come via browser or receiver, you can just use both policies (LDAP primary, RADIUS secondary or vice versa, depending how RSA works) with ns_true and it should work.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...