Jump to content
Welcome to our new Citrix community!

For NS Gateway 2FA - must you have LDAP AND RADIUS?

Recommended Posts

The articles below indicate adding LDAP AND RADIUS servers to the Citrix Netscaler in order to enable 2FA. Can someone explain 

why it won't work with just a pointer to a RADIUS server as MS RADIUS is integrated with Active Directory - I don't understand

why a separate LDAP configuration is also required for 2FA to work. Thanks for any insight.





Link to comment
Share on other sites

If your radius server handles ldap auth as well, then you can do 2Fa with just a radius connection.  I use this often with Duo AuthProxy.


You can also use SAML to providers with multi factors that is a single connection.


The primary and secondary auth work as the MS radius connects to AD to link your username with the token code.

Link to comment
Share on other sites

You are definitely right. RADIUS is not needed. You could do LDAP twice, even to the same domain. However, the point of "FA is, to have different passwords for both factors, so it's recommended, to use different targets.

The easiest way to do 2FA is using something like DUO or Okta. In case, you would just send the LDAP password to the radius server, the radius server does domain logon and sends a challenge to the user's phone. The user has to reply to the challenge. If the user does, the user is logged on. If the user dies not, logon fails.


Greetings from Austria


Johannes Norz


Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...