Jump to content
Welcome to our new Citrix community!

Citrix Netscaler Gateway multi-domain 2FA via. Radius


Michele Pacucci

Recommended Posts

We have two separate citrix virtual desktop environments in two different domains. We have one storefront and one Netscaler Gateway and two radius server which have the two LDAP Domains and SMS 2FA activated.

Our goal:

User from domain1 authenticates with user@domain1.com -> radius server checks with LDAP -> sends 2FA Token -> Radius complete-> Netscaler checks with LDAP -> Authentication complete

User from domain2 authenticates with user@domain2.com -> radius server checks with LDAP -> sends 2FA Token -> Radius complete-> Netscaler checks with LDAP -> Authentication complete

 

The problem:

Our radius server cannot authenticate users with domain\username, only with upn (username@domain.com). However even though the radius does not authenticate the user with domain\username, the netscaler seems to do. This in turn leads to following example: User from domain1 authenticates with domain1\user -> radius server cannot work with the request -> no 2 FA Token -> Netscaler checks with LDAP -> Authentication works anyways.

 

So if a user logs on with user@domain.com all is well but if a user logs on with domain.com\user there is no radius check before completing the logon.

 

I hope my issue makes sense and is not (only) related to the radius server. Let me know if you need more information.

Link to comment
Share on other sites

20 hours ago, Arnaud Pain said:

Hello

 

please try unchecking the authentication box on your ldap authentication server. 
 

Thanks

Arnaud 

 

Seems to have no effect on the issue... Login still works either way...

I think the underlying problem is also with the radius. The radius strangely does not send a reject packet to the netscaler when it has difficulty with the username, however I still expect netscaler to wait for an accept packet before letting users authenticate...

Link to comment
Share on other sites

 

On 2/9/2021 at 11:43 AM, Arnaud Pain said:

Hello

 

Can you post or send me your nsconfig?
 

Thanks

Arnaud 

 

Hi Arnaud

I have posted in the attachments. 

 

23 hours ago, Carl Stalhood1709151912 said:

What build of ADC? I seem to recall a bug where ADC added domain\ when it shouldn't have.

 

Also see https://support.citrix.com/article/CTX237992

 

Hi Carl

 

Thanks for your suggestion...

We have ADC Version 12.0 63.13.nc

On Friday I have already scheduled the update of the ADC to a more current version, in hope that fixes the issue..

Otherwise I will have a look at your posted article, because there seems to be a lot of similarities to my issue.

 

Thanks

Michele

ns.conf

Link to comment
Share on other sites

  • 2 weeks later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...