Jump to content
Welcome to our new Citrix community!

Netscaler Gateway & DUO as Radius 2FA


Recommended Posts

Hello All,

 

I am setting up a netscaler gateway to be able to use duo as a second factor. 

I can launch applications fine with the gateway using just LDAP under basic authentication.

The guide below has been followed from what I can tell.

https://duo.com/docs/citrix-netscaler-nfactor

 

I just dont get the duo prompt.

Would there be anything that I would need to change in the gateway policy, or storefront to tell it I am using 2fa. There is no mention of any of this on the duo doc.

I have also looked at the guide below, but feel this is just a general radius guide.

https://www.carlstalhood.com/citrix-gateway-radius-authentication/

 

Ideally I dont want to be using classic policies, as this needs to be a bit future proof, since citrix keep saying classic policies will be deprecated.

I am not even sure if the request is reaching AD when using the authentication profile, as it gives me the same error whether it is a valid password or not.

 

Does anybody have a configured gateway with DUO as 2fa who can advise.

 

Thanks

Matt

 

Link to comment
Share on other sites

5 minutes ago, Matthew Riddler1709154367 said:

Hello All,

 

I am setting up a netscaler gateway to be able to use duo as a second factor. 

I can launch applications fine with the gateway using just LDAP under basic authentication.

The guide below has been followed from what I can tell.

https://duo.com/docs/citrix-netscaler-nfactor

 

I just dont get the duo prompt.

Would there be anything that I would need to change in the gateway policy, or storefront to tell it I am using 2fa. There is no mention of any of this on the duo doc.

I have also looked at the guide below, but feel this is just a general radius guide.

https://www.carlstalhood.com/citrix-gateway-radius-authentication/

 

Ideally I dont want to be using classic policies, as this needs to be a bit future proof, since citrix keep saying classic policies will be deprecated.

I am not even sure if the request is reaching AD when using the authentication profile, as it gives me the same error whether it is a valid password or not.

 

Does anybody have a configured gateway with DUO as 2fa who can advise.

 

Thanks

Matt

 

 

Hi Matt,

 

I would recommend you to have a look here:  http://arnaudpain.com/2020/09/08/citrix-gateway-and-duo-step-by-step-guide

 

Thanks

Arnaud

Link to comment
Share on other sites

Thanks Arnaud, 
I have followed your guide as well. Will have another look tonight.

 

When I have the authentication using a profile, not classic expressions, in the aaad.debug log the ldap query does not find a user. If I bind the same authentication server to basic authentication it finds the user.
 

Link to comment
Share on other sites

I have followed the guide & it looks much better (when the config looks correct the EULA checkbox appears (it is supposed to)), but I still get 2 password boxes on the gateway.

As per the duo guide there is a rewrite that needs to be added to remove the second password field.

How are you just seeing the single password on your front page?

 

Thanks

Matt

Link to comment
Share on other sites

  • 1 month later...

Hello, 

Sorry for dragging this back up, having such fun with Duo & Citrix each saying you need to speak to the other.

What config do you have a on storefront for this. Under Manage Citrix Gateways, authentication settings for the correct gateway. I have logon type set to domain & security token. Should this be set to just domain?

 

Thanks

Matt

Link to comment
Share on other sites

2 hours ago, Matthew Riddler1709154367 said:

Sorry, also I am using LDAP for password auth & hoping to use duo just for 2fa. Also this store will also only be used by the web browser, no requirement for receiver config. Do I need to have the 2 entries in the duo proxy with different ports?

 

Matt,


I would say no only one port required but you will need to test. 

 

Thanks

Arnaud

Link to comment
Share on other sites

  • 3 weeks later...

So the issue for the selection screen not appearing was related to, in a way , the version of ADC that is being used.

Where this gateway sits is on 13.1, fresh install. By default 13.1 inserts the Content-Security-Policy header. This restricts down where objects can be opened from. As the duo prompt is a .js file it was not allowed to open the .js file & subsequently the page that the duo iframe sits on top of, just had the background asking for password.

 

The fix I found was either to turn off the header being added by default (that would remove the header from all gateway's if you have more than one), but preferably putting in a re-write to remove the original header & insert the same header but allowing the duoportal page to load.

To turn off the header it is under Citrix Gateway, Global Settings, Change authentication AAA settings, then set Default CSP Header to disabled

Now it works all times everytime.

Thanks for your assistance in this.

Edited by Matthew Riddler
put in location of turning off default csp header
  • Like 1
Link to comment
Share on other sites

  • 8 months later...

Hello everyone.

 

I have to configure DUO with my netscaler 12.1.65 (I need advanced licence to use DUO? )

I need to configure Radius server or I can do it only with simple LDAP?

And for simple LDAP any modification in the SFT server?

 

Some recent guide step by step? I try yesterday to configure with duo step by step and I found user connectivity error to login ...so...I did rollback 

 

image.thumb.png.83b9839a29f52cf2101c46babee73c6d.png

 

Thanks

Link to comment
Share on other sites

On 3/13/2022 at 11:52 PM, Matthew Riddler1709154367 said:

I have followed the guide & it looks much better (when the config looks correct the EULA checkbox appears (it is supposed to)), but I still get 2 password boxes on the gateway.

As per the duo guide there is a rewrite that needs to be added to remove the second password field.

How are you just seeing the single password on your front page?

 

Thanks

Matt

hello Matt.

 

Do yo solve the problem? I have netscaler 12 and I want to use proxy as LDAP (not radius). So....I don't find the good configuration. It's necessary to add to netscaler VS with port 1812 and 18120? Only one? With option radius or Ldap?  I'm confused...

 

When I configure expression I obtain this msg:

 

image.png.90956e5b2e8db511cfbaa17874808013.png

 

Thanks a lot

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...