Jump to content

Deployment Guide: Learn how to configure Citrix Gateway to use nFactor to authenticate against a RADIUS server for MFA

  • Contributed By: Steven Wright


How to Configure Citrix Gateway to use nFactor to authenticate against a RADIUS server for Multi Factor Authentication (MFA).

This article covers how to configure Citrix ADC Gateway to use nFactor authentication for LDAP and RADIUS-based multifactor authentication and general troubleshooting techniques.

In this article, we assume your Citrix ADC has a Citrix Gateway implementation and RADIUS and LDAP servers.

This article also recommends connecting to your RADIUS and LDAP servers via local load balancing virtual servers, and assumes the load balancers have already been created. You can learn more about creating load-balancing virtual servers here and about configuring RADIUS persistence on a load balancer here.

RADIUS Communication Overview

The RADIUS communication flow begins with an Access-Request packet from the client, in this case the Citrix ADC. The RADIUS server validates the client and authenticate the credentials received within the Access-Request. After validation, the RADIUS server responds with an Access-Accept, Reject, or a Challenge asking for further details from the user.


RADIUS servers have a list of valid clients and a shared secret for each. A RADIUS server usually ignore requests from invalid clients, but some implementations return authentication failures. The shared secret encrypts the password component of the credentials. When the shared secret is wrong, the server always rejects passwords because they don't decrypt to the correct value.

By default, Citrix ADC sends RADIUS authentication requests from the NSIP of the active HA node and targets a single RADIUS server.


Rather than define the NSIPs of both ADCs in an HA pair as clients on your RADIUS servers, Citrix recommends the ADC send authentication requests via a local Load Balancing virtual server. The Load Balancing virtual server also adds resilience to your setup.

When Citrix ADC sends RADIUS requests via a local Load Balancing virtual server, the requests leave the ADC via a SNIP. SNIPs are floating IP addresses and are only available on the current primary HA node.

When using a Load Balancing (LB) virtual server, the NSIPs of the primary and secondary HA nodes make a request to a local VIP. The LB VIP sends to the RADIUS server using the HA pair's SNIP.


RADIUS Troubleshooting tools

While most RADIUS implementations are performed without, it can be helpful to understand the most common troubleshooting tools.

The "/tmp/aaad.debug" authentication debug pipe on the Citrix ADC

You can view authentication events on the Citrix ADC by entering the BSH shell with "shell" and then viewing the aaad.debug pipe with "cat /tmp/aaad.debug".

You can find more information on "aaad.debug" here: https://support.citrix.com/article/CTX114999


NTRadPing is a third-party RADIUS testing tool you can use to generate RADIUS authentication requests and watch the response. You can download NTRadPing here:

Using NTRadPing, you can send RADIUS authentication requests directly from your client to the RADIUS server and ensure that it's fully operational. On the RADIUS server, you'll have to define your client's IP address and a shared secret. You'll also need firewall rules to let your client talk to the RADIUS server.

You can also use NTRadPing to send authentication requests to the LB virtual server on the ADC, which relays them to the RADIUS server. Since these requests come from the ADC, you'll need the same shared secret in NTRadPing as ADC. You'll also need firewall rules to let the client talk to the ADC's RADIUS LB virtual server.

By testing each component separately, the test will isolate where a failure is occurring. Suppose you can send successful requests manually using the ADC's RADIUS. In that case, you know the problem is with something before that, like the RADIUS server definition on your ADC, and you can focus your efforts.


NTRadPing consists of two files that you extract into the same directory from its compressed zip. On launch, NTRadPing prompts for:

  • The RADIUS server and port
  • The RADIUS secret
  • A user name and password
  • The Authentication request type


Depending on the test you're performing, you'll use the RADIUS server IP address or that of the ADC's LB virtual server as the destination. Most commonly, on port 1812.

Set a RADIUS secret for your client if you're sending queries directly. If you're sending queries via the ADC's LB virtual server to imitate authentication requests from Gateway, use the same shared secret as you have configured the ADC to use. The user name and password fields contain the credentials you expect the ADC to send to the RADIUS server on your behalf. Usually, the "password" field contains the user's MFA token value.

When you click "Send," NTRadPing sends an authentication request from your computer to the specified destination and displays the response (typically an Access-Accept or Access-Reject).



You can examine the RADIUS request and response inside WireShark if you take a packet trace on the Citrix ADC during the authentication process.

WireShark is the world's foremost and widely used network protocol analyzer. WireShark is free and available without here.

You can find WireShark's RADIUS filter's here.

You can find the steps to take a packet trace on a Citrix ADC here.

In WireShark, you'll see an Access-Request packet followed by either an Access-Accept, Access-Reject, or Access-Challenge response. Missing responses often indicate a communication problem such as absent firewall rules or the RADIUS server not having a definition for the client.

GUI Instructions

Assuming that the configuration on your RADIUS servers is already complete, follow the following steps for the MFA authentication with Citrix Gateway:

Enable the Authentication, Authorization, and Auditing (AAA) feature

  1. If the AAA feature isn't already enabled, navigate to, Security > AAA – Application Traffic, and right-click to enable the feature.\


Add Authentication Servers

  1. Select Security > AAA – Application Traffic, Policies, Authentication, Base Policies, RADIUS.\


  2. Select the Servers tab and then click "Add".\


  3. Populate details of your RADIUS server\ \ Citrix recommends you don't target an individual RADIUS server, but instead, target your Load Balancing virtual server. As such, use your RADIUS LB's VIP as the Server IP in this page. The Secret Key must match the value on your RADIUS server for the ADC's SNIP.


  4. Select Security > AAA – Application Traffic, Policies, Authentication, Base Policies, LDAP. Then, select the "Servers" tab and click "Add".\


  5. Populate details of your LDAP target\ Like RADIUS, Citrix recommends that you use a local Load Balancing (LB) virtual server as the destination. As such, use the VIP of your LDAP LB virtual server as the Server IP on this page.



Add Advanced Authentication Policies

  1. Select, Security > AAA – Application Traffic, Policies, Authentication, Advanced Policies, Policy. Then, click "Add".\


  2. Populate the policy details as shown and then click "Create".\


  3. Repeat the step to create another policy for RADIUS and then click "Create".\


Create a AAA virtual server

  1. Navigate to Configuration > Security > AAA - Application Traffic > Virtual Servers.\


  2. Click "Add" to create an authentication virtual server.\


  3. Enter the following information and click OK.

    • Name - Name for the AAA virtual server.
    • IP address Type - Change the IP address Type to Non-Addressable as this virtual server is used only for Citrix Gateway.\


  4. Under Certificate, select "No Server Certificate".\


  5. Click "Click to select" to select the server certificate\


  6. Click the radio button next to a certificate for the AAA Virtual Server, and then click "Select". The chosen certificate doesn't matter because this server isn't directly accessible.\


  7. Click "Bind".\


  8. Click "Continue" to close the Certificate section.\


  9. Click "No Authentication Policy" within "Advanced Authentication Policies".\


  10. Click "Click to select" under the field for "Select Policy".\


  11. Select the "LDAP_Pol" policy and click "Select".\


  12. Click "Click to select" under the field for "Select Next Factor".\


  13. Click "Add" within "Authentication Policy Labels".\


  14. Enter a name for the Policy Label the ADC uses to trigger RADIUS authentication and click "Continue".\


  15. Click "Click to select" under the field for "Select Policy".\


  16. Select the "RADIUS_Pol" policy and click "Select".\


  17. Click "Bind" at the bottom of the "Create Authentication Policy Label" screen.\


  18. Click "Done" at the bottom of the "Authentication Policy Label" screen.\


  19. Click "Select".\


  20. Click "Bind" at the bottom of the "Policy Binding" screen.\


Apply a Login Schema that presents the user with a user name, password, and passcode field

  1. Click "Login Schemas" in the right-hand side "Advanced Settings" menu.\


  2. Click "No Login Schema" to present a window to select the schema.\


  3. Click "Click to Select" under "Select Policy".\


  4. Select the built-in "lschema_dual_factor_builtin" policy and click "Select".\


  5. Click "Bind" and select "Done" to exit the AAA virtual server configuration menu.\


Note: The "lschema_dual_factor_builtin" policy was added in ADC 13.0 firmware. If you're using an earlier release then you need to create a policy. You can find instructions explaining how to create a policy here.

Configure your Gateway virtual server to use the new AAA server

  1. Select "Citrix Gateway, Virtual Servers", then select your Gateway virtual server and click "Edit".\


  2. Select "Authentication Profile" in the right-hand side "Advanced Settings" menu.\


  3. Select "Add" within the "Authentication Profile" section.\


  4. Enter a name for the new authentication profile as show and then click "Click to select" under "Authentication Virtual Server".\


  5. Select the AAA virtual server that we created earlier and click "Select".\


  6. Click "Create".\


  7. Click "OK".\


  8. Click "Done".\


Perform testing

You're now ready to use Multi-Factor Authentication on your Citrix Gateway virtual server.


If you come across any authentication challenges, please refer to the troubleshooting section of this document.

CLI Instructions

If you prefer to configure the ADC using the CLI, the following configuration script completes all necessary steps.

# 1. Enable AAA
en ns feature aaa

# 2. Creating LDAP Server
add authentication ldapAction LDAP_for_Gateway -serverIP LDAP_LB_IP -serverPort 636 -ldapBase "DC=citrix,DC=lab" -ldapBindDn readonly@citrix.lab -ldapBindDnPassword PASSWORD -ldapLoginName sAMAccountName -groupAttrName memberOf

# 3. Creating LDAP Policy
add authentication Policy LDAP_Pol -rule true -action LDAP_for_Gateway

# 4. Creating RADIUS Server
add authentication radiusAction RADIUS_Server -serverIP -serverPort 1812 -radKey sharedsecret

# 5. Create RADIUS Policy
add authentication Policy RADIUS_Pol -rule true -action RADIUS_Server

# 6. Create a PolicyLabel triggering the RADIUS Policy
add authentication policylabel RADIUS_PolicyLabel -loginSchema LSCHEMA_INT
bind authentication policylabel RADIUS_PolicyLabel -policyName RADIUS_Pol -priority 100

# 7. Create the AAA virtual server
add authentication vserver nFactorAuthvServer SSL

# 8. Bind an SSL certificate to the AAA virtual server
bind ssl vserver nFactorAuthvServer -certkeyName "Example Cert"

# 9. Bind the LDAP policy and RADIUS PolicyLabel to the AAA virtual server
bind authentication vserver nFactorAuthvServer -policy LDAP_Pol -priority 100 -nextFactor RADIUS_PolicyLabel -gotoPriorityExpression NEXT

# 10. Bind the builtin Login Schema for dual factor authentication to the AAA virtual server
bind authentication vserver nFactorAuthvServer -policy lschema_dual_factor_builtin -priority 100 -gotoPriorityExpression END

# 11. Create an Authentication Profile attached to the AAA virtual server
add authentication authnProfile MFA_Authentication_Profile -authnVsName nFactorAuthvServer

# 12. Configure your existing Gateway virtual server to use the Authentication Profile
set vpn vserver "Steven Demo Gateway" -authnprofile "MFA_Authentication_Profile"

User Feedback

There are no comments to display.

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Create New...